Today I will write about Subdomain takeover. It’s a common Security issue that is actually a developers mistake when they left an Unused/unclaimed 3rd party Service DNS CNAME record for a subdomain of theirs and Hackers can claim those subdomains with the help of external services, it pointing to what could lead to serious issues. You can learn more about Subdomain takeover from detectify blog.While testing flock.com I got a domain flock.co what is under flock company. So I started looking at its subdomains and got the subdomain newdev.flock.co and when I visited the subdomain in the browser I got an error like the below screenshot
This took my attention . So I checked the DNS record for this domain .
$ dig newdev.flock.co; <<>> DiG 9.10.6 <<>> newdev.flock.co ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13182 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;newdev.flock.co. IN A;; ANSWER SECTION: newdev.flock.co. 299 IN CNAME cname.readme.io. cname.readme.io. 299 IN CNAME readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com. readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com. 59 IN A 126.96.36.199 readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com. 59 IN A 188.8.131.52;; Query time: 69 msec ;; SERVER: 184.108.40.206#53(220.127.116.11) ;; WHEN: Mon Jul 09 04:58:06 +06 2018 ;; MSG SIZE rcvd: 175
From the above record, we can say the subdomain is pointing to CNAME cname.readme.io. So I start looking at custom domain documents on the readme.io website to understand how they work. From their document, I understand that
- You need a subdomain pointing to your readme.io subdomain like
- Your subdomain should be configured in domains settings on the following page
So to take over I need to check if
cname.readme.io is already claimed or not. But Unfortunately, it was already claimed 🙁. But I have seen many such services don’t force users to verify their ownership of domains by using the same CNAME txt record as their service subdomain. So still there’s hope.I opened an account in readme.io and I got a subdomain
newdev.readme.io. Then I go to domains settings https://dash.readme.io/project/newdev/v1.0/domains and in Custom Domain Field used newdev.flock.co as value and save changes.Now when I visited newdev.flock.co It redirected me to http://newdev.flock.co/inactive this page what saying now that
Not Yet Active
This is showing as I am using a trial account. In the webpage title above screenshot, you will see the project name that I used while creating the project. So now this domain is serving my contents from newdev.readme.io project page.
How to avoid such issues?: Always update your DNS records. remove CNAME or any other DNS records what is not in use.If you find a security vulnerability feel free to contact them via
Thanks for reading.