Security researchers discover more than 400,00 at-risk subdomains during an automated internet trawl
Security researchers have discovered more than 400,000 subdomains with misconfigured CNAME records, leaving many at risk of malicious takeover as a result.
When websites are externally hosted, the CNAME (Canonical Name) record is used to map their canonical domain and subdomains to the third-party host domain.
This means that the canonical, rather than host, domain appears in a browser’s address bar.
When a cloud hosted web page is deleted but the DNS entry pointing to the resource is retained, attackers can potentially re-register the host, add “the organization’s subdomain as an alias, and thus [control] what content is hosted”, explained Pinaki Mondal of India-headquartered security firm RedHunt Labs in a blog post.
Attackers can then serve malicious content to visitors, and potentially intercept internal emails, mount clickjacking attacks (PDF), hijack users’ sessions by abusing OAuth whitelisting, and abuse cross-origin resource sharing (CORS) to harvest sensitive information from authenticated users.
‘Stale’ CNAME records also leave sites vulnerable to ‘broken-link hijacking’.
Speaking to The Daily Swig this week, Shubham Mittal, director of RedHunt Labs, ackn ..