Subdomains are prefixes of internet addresses. If we think that our home’s address is an internet address (URL), then we can call the street as subdomain. Webmasters use subdomains because of some reasons like security, SEO, API, CDN or categorizing. Subdomains technically work like domains and it need a secure platform.

If a subdomain is vulnerable to controlling by another persons excluding system authorities, its called as subdomain takeover. It may happen because of expired hosting services or DNS misconfigurations. Attacker will has full-privilege on the system after tookover the subdomain. Attacker can upload his own files, create his own databases, track data traffic and create a clone of main website. So, it is not possible to detect that the subdomain is hijacked by an attacker and it threaten the security with various attack scenarios. Our team VULLNERAB1337 beat the records and discovered 670+ subdomains of Microsoft is vulnerable to takeover. Let us show you how we found them and what can an attacker do by this vulnerability.

How to Discover Subdomain Takeover Vulnerability

We will see some error messages like “Site not found”, “This site doesn’t exist” while reviewing HTTP responses. And we will see about where is website redirected to, while reviewing DNS records.

An example output for HTTP response of vulnerable subdomain on Github

But in some service providers, we cannot see an HTTP response. So we need to review its DNS records to understand is it vulnerable or not. For example we cannot see an HTTP response in Microsoft Azure, so we need to take a look at DNS records.

Example vulnerable subdomain on Azure: azure.takeover.host , let us look at its DNS records.

An example output for DNS records of vulnerable subdomain on Azure

There are 2 points we should care about:

• status: NXDOMAIN
• CNAME takeovertest-host.azurewebsites.net

This informations tell us about this subdomain is vulnerable to takeover and it is hosting on azurewebsites.net. So, attacker can create a source on Microsoft Azure portal and takeover the subdomain. There are lots of service providers vulnerable to subdomain takeover attacks, for example Github, Amazon Web Services, Azure, Pantheon, Shopify, WordPress, Fastly, Heroku, Tumblr etc…

Example Attack Scenarios

We have claimed some of those subdomains to protect from attackers and show you example attack scenarios.

• identityhelp.microsoft.com
• mybrowser.microsoft.com
• web.visualstudio.com / webeditor.visualstudio.com
• data.teams.microsoft.com
• sxt.cdn.skype.com
• download.collaborate.microsoft.com
• incidentgraph.microsoft.com
• admin.recognition.microsoft.com
• api.getdevices.microsoft.com
• dev.social.microsoft.com
• manage.codesign.microsoft.com
• WDATPUnifiedUX-neu-prd.securitycenter.windows.com

(All of them are reported to Microsoft and fixed.)

What could an attacker do by exploiting this vulnerability?

• Attacker could ask visitors for ID cards or their account credentials on identityhelp.microsoft.com
• Attacker could force visitors to install an extension or update their browsers and spy them by embedding a spyware/malware on mybrowser.microsoft.com
• Attacker could ask visitors to upload their project files and he can steal their codes on webeditor.visualstudio.com
• Attacker could ask team members to upload sensitive and corporational documents on data.teams.microsoft.com by Teams App
• Attacker could ask for money to recharge users Skype account on sxt.cdn.skype.com
• Attacker could force visitors to download malware on download.collaborate.microsoft.com
• Attacker could manipulate the stats and graphs on incidentgraph.microsoft.com
• Attacker could steal administrators passwords on admin.recognition.microsoft.com
• Attacker could manipulate API queries or collect sensitive informations about devices on api.getdevices.microsoft.com
• Attacker could collect informations about developers on dev.social.microsoft.com
• Attacker could collect informations about certificates on manage.codesign.microsoft.com
• Attacker could publish new security updates and force users to download them on *.securitycenter.windows.com

etc...

Our team claimed some of those critical subdomains before attackers and reported them ethically to Microsoft

Yet another danger about subdomain takeover vulnerabilities. Let us see together how can an attacker steal your account password and cookies:

However, Microsoft doesn’t reward subdomain takeover vulnerabilities. We have already reported lots of vulnerable subdomains. We have already reported subdomains in this post but we will not report other 660+ vulnerable subdomains until Microsoft reward researchers. Also, until Microsoft offer bounties to researchers for subdomain takeover vulnerabilities, we exactly recommend you to don’t visit any subdomain of Microsoft because of it is impossible to understand is a subdomain hijacked or not.

How Can An Attacker Exploit This Vulnerability?

• Actually, attacker can exploit this vulnerability as “Stored XSS”.
• Also attacker can clone the main website’s template and steal users credentials like passwords, credit card informations or phone numbers etc.
• Attacker can bypass CSP, CORS and referrer-check based protections and exploit some vulnerabilities like XSS, CSRF, Clickjacking and steal users cookies or takeover user accounts.
• Attacker can deface the websites which is embedding sources from vulnerable subdomains. Or run JavaScript commands remotely.
• Attacker can manipulate the corporational and critical endpoints like payment APIs.
• Attacker can force visitors to download malware.
• Attacker can hack users devices remotely and spy them if this subdomain is using for autoupdates.
• Attacker can make illegal requests by visitors browser.

How We Discovered 670+ Vulnerable Subdomains of Microsoft?

Our automated system scanned all subdomains of some Microsoft domains and found hundreds of vulnerable subdomains in a short time. You can track your subdomains and get an alert when your subdomains are vulnerable, by our advanced technology. Visit: Security Tools

If you are a webmaster, we suggest you to track your subdomains and remove unnecessaried subdomains regularly. Also you should review Microsoft's guide to be aware about phishing attacks. This article written just for educational purpose and show the dangers about a potential subdomain takeover attacks. Subdomains are ethically reported to Microsoft and fixed in a short time. It is not aiming an illegal activity.

Security is a right!

Date:  Mar 4, 2020