Subdomain security is substandard, say security researchers

Admins tend to forget that subdomains don’t inherit security controls, leaving the likes of CNN, Harvard, Cisco, and US health authorities with vulnerabilities


Abandoned or ignored subdomains often include overlooked vulnerabilities that leave organisations open to attack, according to a team of infosec researchers from the Vienna University of Technology and the Ca’ Foscari University of Venice. The team’s work will be presented at the 30th USENIX Security Symposium this August.

Hijacking of subdomains is not new, but this new research points out that they’re a weak spot because organisations often forget to maintain them properly, and make the incorrect assumption that access can only be gained if explicitly allowed by an administrator.

That laxity leaves subdomains open to a cookie-based attack in which an attacker sets up their own site to replace an abandoned or expired subdomain hosted on a completely different server from the main web site. Then, as web sites typically consider their subdomains “safe,” cookies assigned to the main web site can be overwritten and accessed by the subdomain, thus allowing an intruder to impersonate another user and conduct illicit activities.

The researchers also looked at other known methods of subdomain sabotage — such as dangling records, vulnerable to attacks against cookies, cross-origin resource sharing, postMessage JavaScript attacks, and domain relaxation exploits that allow scripts to work across related domains in ways that a browser would prohibit.

The team scanned 50,000 of the world’s most important web sites as ranked by the Tranco list, and found 1520 vulnerable subdomains across 887 sites.

Among the notable organisations with susceptible subdomains were Cisco, CNN, Harvard, and the USA’s National Institutes of Health.

The researchers told administrators about the cybersecurity gaps where possible. Six months later, only 31 per cent of reported subdomains were corrected.

Those with more subdomains have a larger “attack surface,” evidenced by the researchers finding 15 per cent of the domains with more than 50,000 subdomains vulnerable, compared to less than two per cent of all sites. Academic institutions were also at risk, as heterogeneous public-facing IT infrastructures can require a high number of subdomains. Over seven per cent of .edu sites had at least one subdomain vulnerability.

In their paper, the team recognises that finding vulnerable domains within a system is not a straightforward task, and advised the following:

We suggest reviewing all the DNS records of type CNAME pointing to external domains, and all A/AAAA records pointing to IP addresses that are not directly controlled by your organization, eg, those of services and cloud providers. If any of the pointed resources are not used anymore, you should remove the corresponding DNS entries to avoid takeover vulnerabilities.

The researchers have published their findings and paper at the cleverly titled https://canitakeyoursubdomain.name/ ®


Other stories you might like

Biting the hand that feeds IT © 1998–2021