Jessica Haworth December 23, 2021 UTC 16:33
Update time: December 23, 2021 17:34 UTC
Malicious actors may cause serious damage by impersonating legitimate websites
Security researchers claim that a subdomain takeover vulnerability in the popular WordPress hosting platform may allow attackers to deploy malicious code to victims by posing as legitimate websites.
The security vulnerability was discovered in Flywheel, a platform that provides WordPress hosting and related services.
take over
When an attacker gains control of a subdomain of the target domain, subdomain takeover occurs, usually when the subdomain has a canonical name (CNAME) in the Domain Name System (DNS), but no host provides content for it.
“This may be because the virtual host has not been released or the virtual host has been deleted,” Ahmed Elmalky, who discovered the problem, told Drink it every day.
“The attacker can take over the subdomain by providing his own virtual host and hosting his own content for it. The visitor will not know if something bad has happened, because he [can] Still accessing legal domains. “
Using subdomain takeover, attackers can send phishing emails from legitimate domains, perform cross-site scripting (XSS) attacks, and even damage the reputation of the domain-related brand.
Exploit
exist A recent blog post, Elmalky described how he exploited the vulnerability by looking for pages hosted by Flywheel but not properly set up.
He subscribed to Flywheel for $15, created a site, and linked it to a vulnerable subdomain, thus taking over it.
“Attackers can use this misconfiguration to take over subdomains, publish arbitrary content, run malicious JavaScript code on the client side, and use phishing attacks to obtain credentials[s], Defaced website… [and] If the cookie is restricted to the parent domain and upgraded to account takeover, the user’s cookie is stolen,” Elmalky wrote.
The severity of the attack was classified as “high.”
Mitigation measures
Elmalky stated that in order to prevent this simple but potentially destructive attack, end users should review the available DNS records and make sure they understand how these records are used and the types of services or applications managed. Drink it every day.
He added: “Check your DNS entries and delete all active but no longer used entries-especially those that point to external services.
“Make sure to delete the stale CNAME records in the DNS zone file. Make sure your external service is configured to listen to your wildcard DNS.
“Don’t forget to’exit’-add’DNS entry deletion’ to your list,” he continued. “When creating a new resource, create the DNS record as the last step in the process to avoid it pointing to a non-existent domain.
“Continuously monitor your DNS entries and make sure that there are no dangling DNS records.”
Read more about the latest news about security vulnerabilities
The researcher from Resecurity, a US cyber threat intelligence company, also said that in his work, he has seen “several activities by threat actors and hacker groups actively using this flaw.”
Elmalky explained: “They use legitimate subdomains (A records) of well-known organizations to create fake websites and deploy their malicious code or phishing content or other harmful scenarios to attack end users.”
Drink it every day Flywheel has been contacted, but no response has been received. This article will be updated when we update.
Respected The bug bounty platform handles thousands of Log4j vulnerability reports
