When Web2 meets Web3: Understanding Subdomain Takeovers

16 ago 2024

9 Minutes

Greetings! Chris here again, your friendly neighborhood whitehat from Zokyo Labs, bringing you another article about security.

Today, we’re diving into a topic that impacts both Web2 and Web3 realms: subdomain takeovers. We’ll explore how these vulnerabilities arise and how attackers exploit them, focusing on a case study on the recent Squarespace hijacking issue plaguing the Web3 space.

Table of Contents

What are Subdomains?
Subdomain Takeovers
How is this Issue Exploited?
Squarespace Hijacking: A Case Study
Recommendations
Conclusion

What Are Subdomains?


Let's say for example you started a company called megacorp.com to host web content for your external facing customers. Within your domain, you’ve set up the app-test.megacorp.com subdomain to be used by the developers. 

Because you don't want your app to display to the customer as app-testing you register a CNAME, which is a DNS alias for another domain. That CNAME is app.megacorp.com which is an alias for app-test.megacorp.com. Because of this CNAME, app.megacorp.com can now reference files from app-test.megacorp.com.

Subdomain Takeovers


Years have passed since the creation of the app subdomain and your dev team has been hard at work to create fancy new applications for your organization and customers. 

The app-test.megacorp.com infrastructure has been long deleted, although there exists one issue. You’ve forgotten to delete the CNAME app-test.megacorp.com which has a relationship with app.megacorp.com. Commonly, it is in these circumstances that subdomain takeovers manifest themselves. 

An attacker can come strolling along and is now free to use the app-test subdomain through a GitHub page, an S3 bucket, or a Squarespace website (depending on the underlying service). This is when all sorts of nasty stuff can happen.

An attacker who gains control of an unclaimed or forgotten subdomain can host malicious content, leading to a variety of attacks, including malware distribution, phishing, and cookie theft through Cross-Site Scripting (XSS). In the worst-case scenario, this can lead to domain security bypasses and even compromise of private keys in Web3, making this vulnerability particularly dangerous.

How Is This Issue Exploited? 


This is going to be a little bit different from what we’re used to in Web3 security. For this issue, we’re going to have to reach into our Web2 toolset. Here we go.

Reconnaissance


The first step here is to conduct some recon on the domain. To keep the scenario consistent, we’re going to go with the megacorp.com example. The first step is to enumerate the existing subdomains in megacorp.com with fuzzers, such as gobuster and wfuzz. Alternatively, we could go to crt.sh and search for forgotten subdomains. See the example below:

  • Gobuster

  • Crt.sh

You can simply navigate to crt.sh to find all the registered certificates and their associated subdomains:

Hacker's Notes: Crt.sh provides a searchable distributed database of certificate transparency logs. Certificate Transparency is an internet security standard and open-source framework for monitoring and auditing digital certificates that allow usage of the HTTPS protocol. This is totally scriptable with a bit of Python to parse and act upon the results depending on the scope of the engagement (a fun little exercise).

The Symptoms


When you’re looking into a particular subdomain (in this case app.megacorp.com), the first thing to watch out for is for the page to return a 404 error code. This demonstrates that the subdomain is still active, however, content from the page has since been deleted for whatever reason. In this case, it’s a Squarespace unclaimed domain:



Once we’ve identified the 404 error, we can use dig to discover its alias:

└─$ dig app.megacorp.com

app.megacorp.com. 255 IN CNAME app-test.megacorp.com.

This means that app-test.megacorp.com can be added to any account and the content will be returned to app.megacorp.com.

Exploitation and Impact


In this case, we’ve determined that a Squarespace page is used when navigating app.megacorp.com. We can create an account on Squarespace and claim the domain to create a malicious website under app-test.megacorp.com which can be used to satisfy the following impacts:

  • Malware distribution

  • Phishing and Spear Phishing

  • Theft of cookies through Cross Site Scripting (XSS)

  • Domain security bypasses such as CORS (Cross Origin Resource Sharing)

The use of user private keys connecting to User Interfaces and the signing of transactions makes subdomain takeovers especially dangerous. Client side code can effectively be customized to the attacker's liking with a legitimate-looking URL.

Recommendations


It’s usually recommended that DNS records are regularly audited especially if there are significant changes to the organization's infrastructure. This will identify configurations of subdomains pointing to services not in use. If a rogue CNAME is discovered, the infrastructure team should immediately remove the DNS record to that particular subdomain.

Squarespace Hijacking: A Case Study

What Happened?


On the 9th of July 2024, Web3 protocols with Squarespace domains were being attacked where a malicious attacker can change the DNS name servers to remove DNSSEC settings to host a malicious website in order to steal funds to drain connected user wallets.

The Root Cause


The security breach occurred due to a migration between Google Domains and Squarespace, causing domain hijackings affecting websites such as Celer Network, Dydx, Compound Finance, Pendle Finance, and Unstoppable Domains who reported that they lost control over their domains that week. Attackers were deploying wallet-draining phishing kits which were receiving user traffic unaware that behind the legitimate domains, their funds were being stolen.

This was mainly due to the acquisition of Google Domain by Squarespace in early June 2023 which prompted the migration of all Google infrastructure to its new infrastructure in June this year. Squarespace assumed that users migrating would select social logins such as “Continue with Google” or “Continue with Apple” to login as opposed to the “Continue with Email” choice. A threat actor was able to signup and login using an email associated with a recently migrated domain before the legitimate email holder created the account themselves.


In addition to this, those who migrated from Google Domains to Squarespace had their Multi-Factor Authentication disabled as a course of action to decrease the likelihood admins would be locked out of their accounts post-migration. Therefore, there were no defensive mechanisms to stop attackers from logging in as there was no password on the accounts due to them being half initialized on the backend where they now have access to the domain question. The attacker was immediately met with the “create password for your new account” question. 


The domains that were migrated from Google Domains to Squarespace were either public information or easily discoverable through basic reconnaissance - if that email never set up their Squarespace account because of reasons such as administrators leaving the company, or users never replying to the migration notification email, anybody who enters it into Squarespace now has root access to control the domain. Attackers were then able to leverage this to take over administrator or domain manager accounts and refactor the DNS records to hijack legitimate websites and private email servers. 

Recommendations

For Subdomain Takeovers

  • Regularly audit DNS records: This is crucial to identify any rogue CNAMEs or unused subdomains.

  • Remove obsolete DNS records: If a subdomain is no longer in use, ensure that its DNS record is deleted.

For Squarespace Hijacking Prevention

  • Review user and domain lists: Regularly check for any anomalies in account access.

  • Disable reseller access: This can prevent backdoor entries. Instructions for this can be found here.

Conclusion


Whilst Zokyo is very active in the Web3 security space, we also have talented researchers with extensive experience in Web2 both as Software Engineers and Penetration Testers who can assist with your security needs. Feel free to reach out and thank you for reading, Chris over and out!

Aviso y Descargo de Responsabilidad de Derechos de Autor

Todos los derechos reservados.

Todo el material que aparece en el sitio web de Zokyo (el “Contenido”) está protegido por derechos de autor según las leyes de derechos de autor de EE. UU. y es propiedad de Zokyo o de la parte acreditada como proveedor del Contenido. No puede copiar, reproducir, distribuir, publicar, mostrar, realizar, modificar, crear trabajos derivados, transmitir o de ninguna manera explotar dicho Contenido, ni puede distribuir ninguna parte de este Contenido a través de ninguna red, incluida una red de área local, venderlo u ofrecerlo para la venta, o usar dicho Contenido para construir cualquier tipo de base de datos. No puede alterar ni quitar ningún aviso de derechos de autor u otro aviso de copias del contenido en el sitio web de Zokyo. Está expresamente prohibido copiar o almacenar cualquier Contenido sin el permiso previo por escrito de Zokyo o el titular de los derechos de autor identificado en el aviso de derechos de autor del contenido individual. Para obtener permiso para usar el Contenido en el sitio web de Zokyo, comuníquese con hello@zokyo.io

Zokyo intenta asegurarse de que el contenido sea preciso y provenga de fuentes confiables, pero no garantiza que sea libre de errores. Zokyo puede agregar, modificar o derogar cualquier política, procedimiento o regulación, y no publicar oportunamente dichos cambios en su sitio web no se interpretará como una renuncia a la aplicación. Zokyo no garantiza que las funciones en su sitio web sean ininterrumpidas, que los defectos se corrijan, o que el sitio web esté libre de virus u otros componentes dañinos. Cualquier enlace a información de terceros en el sitio web de Zokyo se proporciona como cortesía y no constituye un respaldo de esos materiales o del tercero que los proporciona.

Aviso y Descargo de Responsabilidad de Derechos de Autor

Todos los derechos reservados.

Todo el material que aparece en el sitio web de Zokyo (el “Contenido”) está protegido por derechos de autor según las leyes de derechos de autor de EE. UU. y es propiedad de Zokyo o de la parte acreditada como proveedor del Contenido. No puede copiar, reproducir, distribuir, publicar, mostrar, realizar, modificar, crear trabajos derivados, transmitir o de ninguna manera explotar dicho Contenido, ni puede distribuir ninguna parte de este Contenido a través de ninguna red, incluida una red de área local, venderlo u ofrecerlo para la venta, o usar dicho Contenido para construir cualquier tipo de base de datos. No puede alterar ni quitar ningún aviso de derechos de autor u otro aviso de copias del contenido en el sitio web de Zokyo. Está expresamente prohibido copiar o almacenar cualquier Contenido sin el permiso previo por escrito de Zokyo o el titular de los derechos de autor identificado en el aviso de derechos de autor del contenido individual. Para obtener permiso para usar el Contenido en el sitio web de Zokyo, comuníquese con hello@zokyo.io

Zokyo intenta asegurarse de que el contenido sea preciso y provenga de fuentes confiables, pero no garantiza que sea libre de errores. Zokyo puede agregar, modificar o derogar cualquier política, procedimiento o regulación, y no publicar oportunamente dichos cambios en su sitio web no se interpretará como una renuncia a la aplicación. Zokyo no garantiza que las funciones en su sitio web sean ininterrumpidas, que los defectos se corrijan, o que el sitio web esté libre de virus u otros componentes dañinos. Cualquier enlace a información de terceros en el sitio web de Zokyo se proporciona como cortesía y no constituye un respaldo de esos materiales o del tercero que los proporciona.

Aviso y Descargo de Responsabilidad de Derechos de Autor

Todos los derechos reservados.

Todo el material que aparece en el sitio web de Zokyo (el “Contenido”) está protegido por derechos de autor según las leyes de derechos de autor de EE. UU. y es propiedad de Zokyo o de la parte acreditada como proveedor del Contenido. No puede copiar, reproducir, distribuir, publicar, mostrar, realizar, modificar, crear trabajos derivados, transmitir o de ninguna manera explotar dicho Contenido, ni puede distribuir ninguna parte de este Contenido a través de ninguna red, incluida una red de área local, venderlo u ofrecerlo para la venta, o usar dicho Contenido para construir cualquier tipo de base de datos. No puede alterar ni quitar ningún aviso de derechos de autor u otro aviso de copias del contenido en el sitio web de Zokyo. Está expresamente prohibido copiar o almacenar cualquier Contenido sin el permiso previo por escrito de Zokyo o el titular de los derechos de autor identificado en el aviso de derechos de autor del contenido individual. Para obtener permiso para usar el Contenido en el sitio web de Zokyo, comuníquese con hello@zokyo.io

Zokyo intenta asegurarse de que el contenido sea preciso y provenga de fuentes confiables, pero no garantiza que sea libre de errores. Zokyo puede agregar, modificar o derogar cualquier política, procedimiento o regulación, y no publicar oportunamente dichos cambios en su sitio web no se interpretará como una renuncia a la aplicación. Zokyo no garantiza que las funciones en su sitio web sean ininterrumpidas, que los defectos se corrijan, o que el sitio web esté libre de virus u otros componentes dañinos. Cualquier enlace a información de terceros en el sitio web de Zokyo se proporciona como cortesía y no constituye un respaldo de esos materiales o del tercero que los proporciona.