Open Bug 1722868 Opened 3 years ago Updated 3 years ago

Subdomain takeover on https://aus5.mozilla.org/

Categories

(Websites :: Other, enhancement)

enhancement

Tracking

(Not tracked)

People

(Reporter: malekfarhin28, Unassigned)

Details

Attachments

(2 files)

Attached image mozilla.PNG

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0

Steps to reproduce:

Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.

Here there is a mozilla domain (https://aus5.mozilla.org/) which is pointing towards unbounce pages so this domain can be taken over can can be used to do any type of attacks mostly i can make a fake login page on your behalf and spoof your users, this is a critical vulnerability and needs to be fixed .

Expected results:

Subdomain takeover. Risk fake website malicious code injection users tricking company impersonation This issue can have a really huge impact on the companies reputation. Someone could post malicious content on the compromised site and then your users will think it's official but it's not.

Hi,
Thank you for your report. I will set this as a New enhancement for the developers opinion about it.

Thanks for your input.
Clara

Component: Untriaged → Security
Status: UNCONFIRMED → NEW
Type: defect → enhancement
Ever confirmed: true
Component: Security → Other
Product: Firefox → Websites

Hii Clara
Any update of this report?

Farhin: thanks for your report, I can replicate visiting https://aus5.mozilla.org/ and seeing the text of "The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again." but this service is not hosted on either GitHub, Heroku, or the like. Could you help me understand how you believe this website could be taken over by an attacker? It's unclear to me by the initial report, which describes a general pattern, but not how it applies to this website.

Flags: needinfo?(malekfarhin28)

Hi Jonathan,

Hackers can claim subdomains with the help of external services. This attack is practically non-traceable, and affects at least 17 large service providers and multiple domains are affected. Find out if you are one of them by using our quick tool, or go through your DNS-entries and remove all which are active and unused OR pointing to External Services which you do not use anymore.

The team at Detectify has recently identified a serious attack vector resulting from a widespread DNS misconfiguration. The misconfiguration allows an attacker to take full control over subdomains pointing to providers such as Heroku, Github, Bitbucket, Desk, Squarespace and Shopify.

Attack Scenario

  1. Your company starts using a new service, eg an external Support Ticketing-service.
  2. Your company points a subdomain to the Support Ticketing-service, eg support.your-domain.com
  3. Your company stops using this service but does not remove the subdomain redirection pointing to the ticketing system.
  4. Attacker signs up for the Service and claims the domain as theirs. No verification is done by the Service Provider, and the DNS-setup is already correctly setup.
  5. Attacker can now build a complete clone of the real site, add a login form, redirect the user, steal credentials (e.g. admin accounts), cookies and/or completely destroy business credibility for your company.
Flags: needinfo?(malekfarhin28)

Farhin: I'm well aware of the attack vector. My question to you is how you understand this to be exploitable on this domain? My understanding is that it is not vulnerable, and I'd like for you to help me understand if you believe that it is.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: