Hostile subdomain takeover is a very prevalent and potentially critical security issue. It's a well-known attack vector and easy to exploit, and should therefore be taken seriously.
A subdomain takeover vulnerability typically happens when an organization assigns a subdomain to an external service, e.g. a support ticketing system like Zendesk, a cloud application platform like Heroku or maybe a content delivery network like Fastly. Maybe the organization is only assessing the service, or maybe they switch to a different service, but for some reason the organization later decides to delete their account on the service, but forget one important step: to remove the subdomain DNS configuration to the service.
Having a dangling subdomain pointing to an unused external service leaves it open for takeover and complete control of an attacker, as they simply need to sign up to the same service and claim the dangling subdomain. Now they control the content on the subdomain which they can use to launch phishing attacks, bypass security controls and other mischief.
Detecting subdomain takeovers with AQUATONE
A new addition to the AQUATONE toolset is
which can detect potential subdomain takeover issues across a bunch of popular
To demonstrate the functionality of aquatone-takeover, I temporarily
configured a couple of subdomains on
michenriksen.com pointed at 3
different external services. aquatone-takeover detects all three as potentially
CNAMErecord pointing to an unclaimed Amazon S3 bucket.
CNAMErecord pointing to Shopify, a popular ecommerce platform, and the subdomain has not been registered with any account.
CNAMErecord pointing at a non-existant account on Desk, a popular support ticketing system.
These are not the only external services that aquatone-takeover can detect, it finds subdomain takeover vulnerabilities across - at the time of writing - a total of 25 services:
- Amazon S3 (Cloud storage)
- Campaign Monitor (Email marketing)
- Cargo (Web publishing platform)
- Cloudfront (Content delivery network)
- Desk (Customer service and helpdesk ticket software)
- Fastly (Content delivery network)
- FeedPress (Feed analytics and Podcast hosting)
- Freshdesk (Customer support software and ticketing system)
- Ghost (Publishing platform)
- GitHub Pages (GitHub static website hosting)
- Help Scout (Customer service software and education platform)
- Helpjuice (Knowledge base software)
- Heroku (Cloud application platform)
- Instapage (Landing page platform)
- Pingdom (Website and performance monitoring)
- Shopify (Ecommerce platform)
- StatusPage (Status page hosting)
- SurveyGizmo (Online survey software)
- Teamwork (Project management, help desk and chat software)
- Tictail (Social shopping platform)
- Tumblr (Microblogging and social networking platform)
- Unbounce (Landing page builder and conversion marketing platform)
- UserVoice (Product management software)
- WPEngine (WordPress blog hosting)
- Zendesk (Customer service software and support ticket system)
I hope to expand this list with many more services, so please let me know if you have any ideas or go ahead and contribute more detector modules on GitHub.
Give aquatone-takeover a try! You can install the AQUATONE toolset with
gem install aquatone or get the latest version with
gem update aquatone if you already have it installed.
Here's a small list of articles and reports on subdomain takeover issues across the web:
- Hacker defaces Donald Trump fundraising site via subdomain takeover attack
- Subdomain takeover of blog.snapchat.com
- Subdomain takeover on s3.shopify.com
- Subdomain takeover on happymondays.starbucks.com due to non-used AWS S3 DNS record
- Authentication bypass on Uber’s Single Sign-On via subdomain takeover