A subdomain takeover vulnerability occurs when a malicious attacker is able to claim a subdomain from a legitimate site. Once the attacker controls the subdomain, they either serve their own content or intercept traffic
Understanding Domain Names
Domains are organized hierarchically, with subdomains (like www.example.com) added to the left of a registered domain. Subdomains are created using DNS records such as A records (pointing to IPs) or CNAME records (pointing to other domains). If these records are misconfigured or left pointing to unused resources, attackers may be able to take over the subdomain.
How Subdomain Takeovers Work
A subdomain takeover occurs when a DNS record points to an external service that is no longer claimed, allowing an attacker to take control of the subdomain. This often involves platforms like Heroku or Amazon S3. Attackers can then host malicious content, steal cookies, or phish users.
Ubiquiti Subdomain Takeover
Difficulty: Low
Date reported: January 10, 2016 Bounty paid: $500
Amazon Web Services S3 uses globally unique bucket names, meaning anyone can claim an unregistered bucket. In this case, a CNAME pointed to an unclaimed S3 bucket, allowing a researcher to register it and take over the subdomain a classic S3 subdomain takeover.
Takeaways
Check DNS records that point to third-party services like Amazon Web Services S3 and confirm the resource is properly configured. Tools like KnockPy can help monitor for forgotten or misconfigured records.
Scan.me Pointing to Zendesk
Difficulty: Low
Date reported: February 2, 2016 Bounty paid: $1,000
Zendesk provides customer support subdomains, like support.example.com. In this case, support.scan.me pointed to scan.zendesk.com. After Snapchat acquired scan.me and the Zendesk subdomain was released, the old CNAME record remained. A hacker claimed scan.zendesk.com and took control of support.scan.me, demonstrating a Zendesk-based subdomain takeover.
Takeaways
After company acquisitions, subdomains may be removed but DNS records left behind, creating takeover risks. Regularly recheck DNS records following acquisition announcements.
Shopify Windsor Subdomain Takeover
Difficulty: Low
Date reported: July 10, 2016 Bounty paid: $500
Some subdomain takeovers don't need third-party services. Researcher zseano found windsor.shopify.com pointing to an unregistered domain, claimed it, and demonstrated a takeover by using SSL data from crt.sh and Censys.
Takeaways
If a subdomain points to another domain and returns 404, check if that domain is available to register. Use crt.sh and Censys to discover related subdomains.
Snapchat Fastly Takeover
Difficulty: Medium
Date reported: July 27, 2016 Bounty paid: $3,000
In 2016, Snapchat's fastly.sc-cdn.net subdomain was misconfigured, pointing to an unclaimed Fastly domain. A researcher confirmed ownership via Censys. This flaw could have let attackers serve malicious files to some users until it was fixed.
Takeaways
Look for subdomains pointing to services that return errors and check for misconfigurations. Always verify ownership and confirm the domain is in use before reporting a takeover.
Legal Robot Takeover
Difficulty: Medium
Date reported: July 1, 2016 Bounty paid: $100
Even if a specific subdomain is claimed, a misconfigured service may allow a wildcard subdomain (like *.example.com) to override it. In this case, claiming the wildcard enabled a takeover of api.legalrobot.com, showing that third-party misconfigurations can still lead to subdomain takeovers.
Takeaways
Using third-party services means relying on their security. A wildcard misconfiguration can override claimed subdomains, so always use a safe, minimal proof when reporting a takeover.
Uber SendGrid Mail Takeover
Difficulty: Medium
URL: https://em.uber.com/
Date reported: August 4, 2016 Bounty paid: $10,000
SendGrid is used by clients like Uber to send emails. Researcher Rojan Rijal noticed that Uber's subdomain em.uber.com had an MX record pointing to SendGrid but hadn't set up the Inbound Parse Webhook, which lets email content be forwarded to a URL. By claiming the subdomain in SendGrid, Rijal could intercept emails, confirming the vulnerability. He reported it responsibly, and SendGrid added a domain verification check to prevent similar exploits.
Takeaways
This case shows the importance of studying third-party documentation. By understanding SendGrid's services and configuration, Rojan Rijal discovered a vulnerability affecting Uber. Thoroughly exploring all features of third-party services used by a target site is crucial for identifying potential security risks.
Summary
Subdomain takeovers occur when DNS records point to unclaimed third-party services like Heroku or Amazon Web Services S3. Use tools like KnockPy and crt.sh to find them, read service documentation carefully, and provide respectful proof of concept.
See you in next chapter!