Rampant CNAME misconfiguration leaves thousands of organizations open to subdomain takeover attacks – research

Adam Bannister 25 November 2020 at 14:46 UTCUpdated: 25 November 2020 at 17:49 UTC

Security researchers discover more than 400,00 at-risk subdomains during an automated internet trawl

Security researchers have discovered more than 400,000 subdomains with misconfigured CNAME records, leaving many at risk of malicious takeover as a result.

When websites are externally hosted, the CNAME (Canonical Name) record is used to map their canonical domain and subdomains to the third-party host domain.

This means that the canonical, rather than host, domain appears in a browser’s address bar.

When a cloud hosted web page is deleted but the DNS entry pointing to the resource is retained, attackers can potentially re-register the host, add “the organization’s subdomain as an alias, and thus [control] what content is hosted”, explained Pinaki Mondal of India-headquartered security firm RedHunt Labs in a blog post.

Attackers can then serve malicious content to visitors, and potentially intercept internal emails, mount clickjacking attacks (PDF), hijack users’ sessions by abusing OAuth whitelisting, and abuse cross-origin resource sharing (CORS) to harvest sensitive information from authenticated users.

‘Stale’ CNAME records also leave sites vulnerable to ‘broken-link hijacking’.

Ethical constraints

Speaking to The Daily Swig this week, Shubham Mittal, director of RedHunt Labs, ackn ..