Security researchers discover more than 400,000 at-risk subdomains during an automated internet trawl

Rampant CNAME misconfiguration leaves thousands of organizations open to subdomain takeover attacks - research

Security researchers have discovered more than 400,000 subdomains with misconfigured CNAME records, leaving many at risk of malicious takeover as a result.

When websites are externally hosted, the CNAME (Canonical Name) record is used to map their canonical domain and subdomains to the third-party host domain.

This means that the canonical, rather than host, domain appears in a browser’s address bar.

When a cloud hosted web page is deleted but the DNS entry pointing to the resource is retained, attackers can potentially re-register the host, add “the organization’s subdomain as an alias, and thus [control] what content is hosted”, explained Pinaki Mondal of India-headquartered security firm RedHunt Labs in a blog post.

Attackers can then serve malicious content to visitors, and potentially intercept internal emails, mount clickjacking attacks (PDF), hijack users’ sessions by abusing OAuth whitelisting, and abuse cross-origin resource sharing (CORS) to harvest sensitive information from authenticated users.

‘Stale’ CNAME records also leave sites vulnerable to ‘broken-link hijacking’.

Ethical constraints

Speaking to The Daily Swig this week, Shubham Mittal, director of RedHunt Labs, acknowledged that some vulnerable subdomains might not actually be ‘claimable’ by nefarious actors.

Fashioning a proof-of-concept exploit would mean performing a subdomain takeover and would therefore be legally and ethically problematic without the domain owner’s “explicit written consent”, he explained.


Read more of the latest browser security news


Regardless, using a tool that conducts mass DNS resolution, RedHunt Labs found more than 424,000 subdomains with misconfigured CNAME records during a automated trawl of 220 million hosts.

How many of these sites were abandoned, such as if they belonged to defunct organizations, was unclear “because we need to lookup company registries to get that information”, said Mittal.

Aided by HTTP response grabbing, the researchers also uncovered evidence that 139 of Alexa’s top 1,000 domains may have fallen prey to subdomain takeovers.

E-commerce the worst offender

RedHunt Labs identified 33 third-party services that “allowed for potential subdomain takeovers”. The Daily Swig has asked RedHunt Labs for clarification of how they do so.

With nearly 63% of vulnerable DNS records pointing to Shopify, most vulnerable domains belonged to e-commerce operators.

Landing page creator Unbounce accounted for the second highest number of vulnerable domains, at 14%, followed by Heroku (10%), GitHub Pages (4%), and Bigcartel (2%).

Drilling into the data, RedHunt said ‘www’ was the most frequently vulnerable subdomain, followed by ‘shop’, ‘store’, and ‘blog’.

Pinaki Mondal pointed out that by stripping the ‘www’ and ‘m’ subdomains from the address bar from Chrome 69 onwards, Google had inadvertently made it harder for users to realize that they “might be browsing attacker-controlled content”.


RELATED Google Chrome hides ‘www’ to simplify address bar


One of around 200 “non-functional” .gov site subdomains with misconfigured CNAME records, meanwhile, had a ‘wildcard’ CNAME record, which poses a particularly dangerous security risk.

“Prestigious universities” owned some of the roughly 1,000 misconfigured .edu subdomains, said Mondal.

Unwieldy attack surface

The findings show that despite the potentially calamitous impact of subdomain takeovers, many well-resourced large organizations are struggling to comprehensively discover and track “their ever-expanding infrastructure”.

Roblox, Starbucks, and the US Department of Defense are among the organizations to remediate subdomain takeover flaws through HackerOne in the past year. However, “few reports” included exploits of “other web app functionalities”, noted Mondal.

The Daily Swig has previously reported on subdomain takeover flaws stemming from the Live Tiles feature of Microsoft Windows 8, in 2019, and a misconfigured Microsoft subdomain in 2018.


RELATED Apple’s Safari browser blocks CNAME cloaking in Big Sur privacy boost