1574265 - DNS hijacking of www.mozilla.net

Status: RESOLVED FIXED

(Websites :: Other, task)

Description

[Fredrik Nordberg Almroth]

Hey there,

I noticed that www.mozilla.net had a CNAME pointer and that it also returned status NXDOMAIN. This to my experience is usually an interesting thing to investigate. I used dig and saw that the CNAME pointed to redirects-mozilla-it.netlifyglobal.com. To my surprise the apex (netlifyglobal.com) also yielded NXDOMAIN. To confirm my suspicion I used the WHOIS command on netlifyglobal.com which yielded:

λ whois netlifyglobal.com
No match for "NETLIFYGLOBAL.COM".

Last update of whois database: 2019-08-15T18:46:02Z <<<

By this point I simply went to Amazon and bought netlifyglobal.com for $12. After the registration was successful, I issued a single wildcard TXT record containing my Twitter handle @almroot.

Proof of Concept:
λ dig www.mozilla.net TXT +short
redirects-mozilla-it.netlifyglobal.com.
"@almroot"

As of right now I have full DNS access to www.mozilla.net. I can issue my own SSL certificate for www.mozilla.net, setup an MX record and get my own hostmaster@www.mozilla.net email-address. I can add an A pointer and direct it to my VPS, from there spin up a website and access cookies in the wildcard scope of *.mozilla.net, or generally make new ones. Given this foothold, no security flags such as Secure or HttpOnly would protect any cookies scoped to Domain=.mozilla.net from being accessed by my site. Given the nature of the domain, any domain-based whitelists that accept *.mozilla.net can by bypassed (such as any potential CORS or CSP policies). As the domain is "www" phishing is also a plausible attack.

To mitigate this issue, simply remove the CNAME pointer for www from going to redirects-mozilla-it.netlifyglobal.com. I hope that helps!

Regards,
Fredrik N. Almroth

Comment 1

[April King [:April]]

When I look at www.mozilla.net, it's pointing here:

$ host www.mozilla.net
www.mozilla.net is an alias for redirects-mozilla-it.netlifyglobalcdn.com.
redirects-mozilla-it.netlifyglobalcdn.com has address 35.238.216.133
redirects-mozilla-it.netlifyglobalcdn.com has IPv6 address 2600:1f16:204:f102:1701:4b38:9d52:5d02

And I see that www.mozilla.net is redirecting to mozilla.org. The hosting provider seems to be netlifyglobalcdn.com, not netlifyglobal.com.

Similarly, with dig:

$ dig www.mozilla.net TXT +short
redirects-mozilla-it.netlifyglobalcdn.com.

Where are you seeing redirects-mozilla-it.netlifyglobal.com?

Comment 2

[Fredrik Nordberg Almroth]

Yes I did, and I can confirm that the issue is fixed now. I noticed the flaw yesterday (2019-08-15) at 19:28 CEST. I reported the issue at 21:32 CEST.

Maybe I just happened to spot it while you guys were fiddling around?

Comment 3

[Philippe M. Chiasson (:gozer)]

(In reply to Fredrik Nordberg Almroth from comment #2)

Yes I did, and I can confirm that the issue is fixed now. I noticed the flaw yesterday (2019-08-15) at 19:28 CEST. I reported the issue at 21:32 CEST.

Maybe I just happened to spot it while you guys were fiddling around?

Yes, netlifyglobal.com was effectively a typo that was corrected shortly afterwards. You spotted it right in the middle of the fix, apparently.

Comment 4

[Fredrik Nordberg Almroth]

Oh that is interesting. Well, looking at it from the bright side, at least the mitigation was quick and easy!

Comment 5

[April King [:April]]

Reporter, how would you like to me credited on the hall of fame for this? If you have a link to your profile, I'd be happy to do that.

Comment 6

[Fredrik Nordberg Almroth]

Hello, I'd be happy if you used my full name, "Fredrik Nordberg Almroth". My Twitter is https://twitter.com/almroot.

Thanks!

Comment 7

[April King [:April]]

Would you like me to change your old hall of fame entry as well? It goes to detectify.com.

Thanks!

Comment 8

[Fredrik Nordberg Almroth]

No, that's fine. But thanks for asking!