Top 6 Subdomain Takeover Attacks On Uber, Lamborghini, USA.gov

Top 6 Subdomain Takeover Attacks On Uber, Lamborghini, USA.gov

One of the major pain point for large enterprises is not knowing their digital infrastructure completely. Hackers are constantly looking for these soft targets. Subdomain Takeover is a type of vulnerability which occurs when a DNS entry (subdomain) of an organization points to an External Service (ex. Heroku, Github, Amazon, Bitbucket, Desk, Squarespace, Shopify, etc) but the service is no longer utilized. In this blog, we listed some of the top subdomain takeover attacks on companies like Uber, Lamborghini, USA.gov etc.

Subdomain takeover vulnerabilities occur when a subdomain (subdomain.abc.com) is pointing to a service (e.g. GitHub pages, Heroku, Desk etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain.

For example, if subdomain.abc.com was pointing to a GitHub/Heroku/Desk page and the user decided to delete their GitHub/Heroku/Desk page, an attacker can now create a GitHub/Heroku/Desk page, add a CNAME file containing subdomain.abc.com, and claim subdomain.abc.com.

Security Impact


With a successful subdomain takeover an attacker can serve content on the subdomain of yours. Attacker can completely clone of the site, steal valuable credentials like admin accounts (by adding a login form that will redirect the user to a certain page).

If the subdomain is a child domain of the service’s basename, then the attacker can read and set cookies on the basename too – subdomain.example.com can set cookies for example.com, which can be lead to further high risk vulnerabilities like like Authentication bypass, CORS bypass & many.

 

>> READ MORE:   Gartner Predicts 30% Of Breaches Due To Shadow IT by 2020

Following are some of the “infamous” attacks that happened because of sub-domain takeover:

 

Uber Case:

  1. Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com. To Read More … Click here
  2. Subdomain takeover on rider.uber.com due to non-existent distribution on Cloudfront. To Read More … Click here

 

Ubiquiti Network Case:

Authentication bypass on sso.ubnt.com via subdomain takeover of ping.ubnt.com. To Read More … Click here

 

Donald Trump fundraising site Case:

Hacker defaces Donald Trump fundraising site via subdomain takeover attack.  To Read More … Click here

 

Snapchat Case:                                                              

Subdomain takeover of blog.snapchat.com. To Read More … Click here

 

USA.gov Case:

USA.gov vulnerable to Subdomain Takeover. To Read More … Click here

 

Lamborghini Case:

Subdomain Takeover Through Expired Cloudfront Distribution | live.lamborghini.com. To Read More … Click here

 

>> READ MORE:   Gartner's Top 3 Articles On Shadow IT

 

FREE Breach Risk Assessment Report