Hostile subdomain takeover using Heroku/Github/Desk + more

Hackers can claim subdomains with the help of external services. This attack is practically non-traceable, and affects at least 17 large service providers and multiple domains are affected. Find out if you are one of them by using our quick tool, or go through your DNS-entries and remove all which are active and unused OR pointing to External Services which you do not use anymore.

The team at Detectify has recently identified a serious attack vector resulting from a widespread DNS misconfiguration. The misconfiguration allows an attacker to take full control over subdomains pointing to providers such as Heroku, Github, Bitbucket, Desk, Squarespace and Shopify.

Attack Scenario

1. Your company starts using a new service, eg an external Support Ticketing-service.
2. Your company points a subdomain to the Support Ticketing-service, eg support.your-domain.com
3. Your company stops using this service but does not remove the subdomain redirection pointing to the ticketing system.
4. Attacker signs up for the Service and claims the domain as theirs. No verification is done by the Service Provider, and the DNS-setup is already correctly setup.
5. Attacker can now build a complete clone of the real site, add a login form, redirect the user, steal credentials (e.g. admin accounts), cookies and/or completely destroy business credibility for your company.

Three things that make this scenario dangerous

• It’s SUPER easy. Sign up for a new account and claim the domain. Done.
• It’s completely hidden. The Domain Owner won’t notice. The attacker won’t leave any traces for the Domain Owner. Good luck monitoring this in an IDS!
• The Service Provider is unlikely to be able to fix this in a feasible way.

Now if this wasn’t bad enough, imagine this scenario

1. A Domain Owner points their * (wildcard) DNS-entry to e.g. Heroku.
2. They forget to add the wildcard-entry to their Heroku-app.
3. Attacker can now claim any subdomain they want from the Domain Owner.
4. A Domain Owner will be unaware of the subdomain being exploited.

Technical Details

This attack vector utilizes DNS entries pointing to Service Providers where the pointed subdomain is currently not in use. Depending on the DNS-entry configuration and which Service Provider it points to, some of these services will allow unverified users to claim these subdomains as their own.

In the not so rare case, the attacker can also “inherit” the Domain Owner’s Wildcard SSL used inside the Service Provider.

Here’s an example of a DNS entry that could be used for this attack:

If x.example.com has no service attached to it, the subdomain could be taken over by an attacker. Below are examples of how some of the services will indicate the existence of this vulnerability:

Affected Service Providers and Domain Owners

We’ve identified at least 17 Service Providers which do not handle the subdomain ownership verification properly – allowing this vulnerability to be exploited, Heroku, Github, Bitbucket, Squarespace, Shopify, Desk, Teamwork, Unbounce, Helpjuice, HelpScout, Pingdom, Tictail, Campaign Monitor, CargoCollective, StatusPage.io and Tumblr.

We’ve also identified at least 200 organizations which are currently affected. In many cases, we are talking NASDAQ-listed, top 100 Alexa rank domains that basically allowed us to set up a Hello World on their domains.

We have notified both the affected Service Providers as well as the Domain Owners under responsible disclosure programs.

Recommendations

• Check your DNS-configuration for subdomains pointing to services not in use.
• Set up your external service so it fully listens to your wildcard DNS. In Heroku’s case, this means running the following command in your App: heroku domains:add *.example.com

Our advice is to keep your DNS entries constantly vetted and restricted.

Update 2017-02-20: The original article states 17 services, we have now identified 100+ different ways that you can be vulnerable to a domain takeover

Detectify Surface Monitoring

Surface Monitoring is a service for monitoring your subdomains for potential subdomain takeovers. It monitors changes within public DNS resolvers and warns you as soon as we detect any anomalies. Contact us on hello [at] detectify.com  for more information.