Sub-domain Takeover

Not all vulnerabilities in a company's online presence involve direct attack of servers or application code; some can be a lot more subtle and indirect. An example of this is an exploit known as 'subdomain takeover'.

If you own a domain such as example.com, you can have any number of subdomains such as obvious ones like www.example.com, staging.example.com and mail.example.com, but you might also decide to use a subdomain such as christmas.example.com to point to a temporary campaign microsite. It's just a case of creating a DNS entry for each subdomain pointing to the IP Address that is hosting the relevant service - if you are careful to secure access to your DNS Administration tools, how can someone take over a subdomain?

Let's say a company runs a Christmas marketing campaign which they host with a third-party cloud provider - they set up a DNS entry to point to an advised IP address on that provider, and all is good. At the end of the campaign, they cancel the account with the provider, but neglect to remove the subdomain DNS record ... some enterprising person discovers that the url now gets a generic 'your site is not set up' page on the 3rd party provider, and manages to set up a new account with that provider claiming that the subdomain is theirs - all of a sudden it's pointing at a site promoting viagra tablets, or being used in a phishing attack.

So the moral of this story; it's a good idea to keep DNS records tidy, and just as we are careful to take down redundant websites, we should clear up associated subdomain DNS records too.

It might seem an obscure theoretical exploit, but tell that to Uber and Starbucks.