IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image
Subdomains increased security risk for businesses
Fri, 24th Oct 2014
FYI, this story is more than a year old

New research has highlighted that abandoned subdomains are becoming an increased security risk for businesses.

Subdomains are often set up by companies for use external services, but are often not disabled when those services stop.

This creates a loophole for attackers.

Ownership of subdomains are not always properly validated by service providers, allowing attackers to set up new accounts and abuse subdomains forgotten by companies.

While removing or update DNS entries for subdomains they are no longer actively used sounds like common practice, this oversight is apparently widespread among companies.

Detectify, the Stockholm-based provider of website security scanning services who did the research, says it identified at least 17 service providers who do not handle the subdomain ownership verification properly.

Detectify named Heroku, Github, Bitbucket, Squarespace, Shopify, Desk, Teamwork, Unbounce, Helpjuice, HelpScout, Pingdom, Tictail, Campaign Monitor, CargoCollective, and Tumblr as service providers not verifying

"We've also identified at least 200 organisations which are currently affected," the researchers said in a blog post. "In many cases, we are talking NASDAQ-listed, top 100 Alexa rank domains."

While this type of vulnerability may not be considered new, Detectify says there are many aspects to the problem. A domain owner who forgets to remove the DNS-entry, the service provider who doesn't remind the domain owner to remove the DNS-entry, and the service provider who does not validate more when a new account is trying to use the same account as before.

While the risk to website owners varies depending on what can be done of a third party service once a domain is pointed to it, if web pages or redirects are set up, attackers could exploit the situation to launch credible phishing attacks by creating rogue copies of the main website.

Some of the subdomains exposed to this form of hijacking that were found by Detectify belonged to various types of organisations including government agencies, health services providers, insurance companies and banks.