Subdomain security is substandard, say security researchers

Abandoned or ignored subdomains often include overlooked vulnerabilities that leave organisations open to attack, according to a team of infosec researchers from the Vienna University of Technology and the Ca’ Foscari University of Venice. The team’s work will be presented at the 30th USENIX Security Symposium this August.

Hijacking of subdomains is not new, but this new research points out that they’re a weak spot because organisations often forget to maintain them properly, and make the incorrect assumption that access can only be gained if explicitly allowed by an administrator.

That laxity leaves subdomains open to a cookie-based attack in which an attacker sets up their own site to replace an abandoned or expired subdomain hosted on a completely different server from the main web site. Then, as web sites typically consider their subdomains “safe,” cookies assigned to the main web site can be overwritten and accessed by the subdomain, thus allowing an intruder to impersonate another user and conduct illicit activities.

The researchers also looked at other known methods of subdomain sabotage — such as dangling records, vulnerable to attacks against cookies, cross-origin resource sharing, postMessage JavaScript attacks, and domain relaxation exploits that allow scripts to work across related domains in ways that a browser would prohibit.

The team scanned 50,000 of the world’s most important web sites as ranked by the Tranco list, and found 1520 vulnerable subdomains across 887 sites.

• What's CNAME of your game? This DNS-based tracking defies your browser privacy defenses
• On the 11th day of Christmas TalkTalk took from me... the email address of my company
• Brave browser first to nix CNAME deception, the sneaky DNS trick used by marketers to duck privacy controls
• Hundreds of forgotten corners of mega-corp websites fall into the hands of spammers and malware slingers

Among the notable organisations with susceptible subdomains were Cisco, CNN, Harvard, and the USA’s National Institutes of Health.

The researchers told administrators about the cybersecurity gaps where possible. Six months later, only 31 per cent of reported subdomains were corrected.

Those with more subdomains have a larger “attack surface,” evidenced by the researchers finding 15 per cent of the domains with more than 50,000 subdomains vulnerable, compared to less than two per cent of all sites. Academic institutions were also at risk, as heterogeneous public-facing IT infrastructures can require a high number of subdomains. Over seven per cent of .edu sites had at least one subdomain vulnerability.

In their paper, the team recognises that finding vulnerable domains within a system is not a straightforward task, and advised the following:

The researchers have published their findings and paper at the cleverly titled https://canitakeyoursubdomain.name/ ®