Story image

Subdomains increased security risk for businesses

24 Oct 2014

New research has highlighted that abandoned subdomains are becoming an increased security risk for businesses.

Subdomains are often set up by companies for use external services, but are often not disabled when those services stop.

This creates a loophole for attackers.

Ownership of subdomains are not always properly validated by service providers, allowing attackers to set up new accounts and abuse subdomains forgotten by companies.

While removing or update DNS entries for subdomains they are no longer actively used sounds like common practice, this oversight is apparently widespread among companies.

Detectify, the Stockholm-based provider of website security scanning services who did the research, says it identified at least 17 service providers who do not handle the subdomain ownership verification properly.

Detectify named Heroku, Github, Bitbucket, Squarespace, Shopify, Desk, Teamwork, Unbounce, Helpjuice, HelpScout, Pingdom, Tictail, Campaign Monitor, CargoCollective, StatusPage.io and Tumblr as service providers not verifying

"We've also identified at least 200 organisations which are currently affected," the researchers said in a blog post. "In many cases, we are talking NASDAQ-listed, top 100 Alexa rank domains."

While this type of vulnerability may not be considered new, Detectify says there are many aspects to the problem. A domain owner who forgets to remove the DNS-entry, the service provider who doesn't remind the domain owner to remove the DNS-entry, and the service provider who does not validate more when a new account is trying to use the same account as before.

While the risk to website owners varies depending on what can be done of a third party service once a domain is pointed to it, if web pages or redirects are set up, attackers could exploit the situation to launch credible phishing attacks by creating rogue copies of the main website.

Some of the subdomains exposed to this form of hijacking that were found by Detectify belonged to various types of organisations including government agencies, health services providers, insurance companies and banks.

Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Commission warns Spark for misleading in-contract customers
The warning follows an investigation into representations Spark made on its website and in emails in August and September 2018.
Qualtrics aims to help organisations master experience management
Experience Basecamp helps users master XM products, including CustomerXM, EmployeeXM and Research Core.
Cloud innovation driving NZ IT services market, says IDC
Managed services makes up the largest portion of total IT services revenue. However, the project-oriented market achieved the highest YoY growth.
Kiwi software company aims to improve global customer experience
Plexure has developed an intelligent technology platform that powers mobile marketing.
Hands-on review: Playing the long game with the The iPhone XR
The red XR is a rare case of having a phone that’s ‘too pretty to be covered’ - and it’s not hard to see why.
What the future of fibre looks like in NZ
The Commerce Commission has released its emerging views paper on the rules, requirements and processes which will underpin the new regulatory regime for New Zealand’s fibre networks.
Gen Z confidence in the economy is on the decline
Businesses need to work hard to improve their reputations.