More Than Subdomain Takeover: Ways To Takeover, Hijack And Impersonate Your Website

In my last post about subdomain takeovers, we talked about what subdomain takeovers are and how hackers can use them to attack shared-session SSO. Today, let’s dive deeper into subdomain takeovers and some other ways hackers can hijack your website.

Subdomain Takeover Recap

Subdomain takeover is when a hacker takes control over a company’s unused subdomain. It happens when a stale DNS entry points to a domain that is available for registration. Let’s say a company hosts its site on a third-party service, such as AWS or Github Pages. When this third-party site is deleted, a CNAME record that points from the company’s subdomain to that third-party site will remain unless someone removes it. But, since the third-party site is now unclaimed, anyone who registers that site on the third-party service gains control over the company’s subdomain. For example, an organization hosts its subdomain abc.example.com on the GitHub page abc_example.github.io. The company later decides to delete the Github page but forgets to remove the CNAME record pointing abc.example.com to abc_example.github.io. Since abc_example.github.io is now unclaimed, an attacker can create a GitHub page at abc_example.github.io. And, because abc.example.com still points to abc_example.github.io, the attacker now has full control over abc.example.com. Now when a user browses abc.example.com, she would see an attacker-controlled site. The impact of a subdomain takeover varies. At the very least, subdomain takeovers enable attackers to launch sophisticated phishing campaigns. In some cases, it can lead to Cross-Site Scripting (XSS) or malicious redirects. And when a site uses shared-session SSO, it could even lead to session theft and account takeovers!

Types of Subdomain Takeover

The majority of subdomain takeover vulnerabilities happen because of stale DNS CNAME entries. The example above illustrates the typical attack scenario, where a CNAME record of the organization points to an empty site hosted by a third-party service.

CNAME Chains

But sometimes a CNAME record does not point directly to a domain available for takeover. Instead, it points to another domain with a CNAME, forming a CNAME chain. If the end of that CNAME chain is available for takeover, attackers can take over that site and achieve the same results.

a.example.com -> b.example.com -> example.github.io

In the above scenario, attackers can take over both a.example.com and b.example.com by registering example.github.io.

MX Takeovers

Takeovers can also happen if there are misconfigurations with other kinds of DNS records. MX records are used to receive emails for a domain name. If an attacker is able to gain control over the domain name pointed to by your MX records, she will be able to receive emails addressed to your domain. This can lead to the exposure of sensitive information to outsiders.

NS Takeovers

Finally, NS takeovers occur when there are stale NS records. If an attacker is able to take over the base domain of an NS entry, she can return any DNS response when your site is requested, and redirect the user anywhere she pleases.

Second-Order Takeovers

There is also another class of takeover attacks, called "second-order takeovers" or "broken link hijacking". They happen when a website uses a resource that is hosted on an external domain, which in turn is vulnerable to takeover. For example, a website uses a JavaScript file hosted on an external domain. When that external domain is deleted and becomes available for registration to anyone, an attacker can register that external domain and host an arbitrary JS file that would be included on the website.

The Impact of Link Hijacking

The impact of second-order takeovers depends on the type of link that was hijacked. If the broken link is embedded in a script tag, attackers will be able to cause a persistent XSS on the page.

<script src=”http://external.com/render.js”></script>

The HTML link tag is used for linking external stylesheets. If the broken link is in an HTML link tag, attackers could link the site to a malicious stylesheet, and cause clickjacking or website defacement.

<link rel="stylesheet" type="text/css" href="http://external.com/theme.css">

And if the broken link is located in an HTML anchor tag, attackers could redirect your users to a malicious site. Since the site is linked from your legitimate website, this makes for a very convincing phishing attack!

<a href=“http://external.com”>Visit our new website!</a>

To make matters worse, if your anchor tag is missing the rel=”noopener noreferrer” attribute, the hijack can have additional security consequences.

<a href=“http://external.com” rel=”noopener noreferrer”>Visit our new website!</a>

If the attacker hijacks an anchor tag that is missing the “noopener” attribute, they might be able to change the content and location of the originating page. On the other hand, if the anchor tag is missing a “noreferrer” attribute, the hijacked link might leak sensitive info like object IDs to the malicious site.

Social Media Hijacking

Another way attackers can impersonate your site is through social media hijacking. Let’s say you register a username on a social media site and link to it from your website.

<a href=“https://twitter.com/vickieli7” rel=”noopener noreferrer”>Visit our Twitter page!</a>

When you later delete that account or change your username, social media sites usually free up that username for others to register. If you don’t update that social media link on your site, an attacker could register your old username and impersonate your social media presence. Still, another consideration when using social media is the integrity of the links that you embed in your posts. When you link to a site from the official social media account of your company, that website could become expired and available for registration. Now anyone can register that site and hijack the content that you are posting on your accounts! For examples of this, check out this blog post, where a hacker talks about how he was able to hijack the Tweets of celebrities: Tweet Link Hijacking

Analytics Hijacking

Finally, sometimes companies link to an expired analytics account from their pages. If the company later stops using that analytics site and forgets to remove the reference from their pages, attackers can register on the web analytics service and hijack the analytics portal. This might allow them to gather analytics information for the site, monitor site traffic, and gather information about its visitors.

Thanks for reading! Next time, we build a monitoring system that scans for these vulnerabilities.