[HN Gopher] Microsoft subdomain takeover ___________________________________________________________________ Microsoft subdomain takeover Author : kailanb Score : 146 points Date : 2023-01-08 00:16 UTC (22 hours ago) (HTM) web link (cseo-coherence.microsoft.com) (TXT) w3m dump (cseo-coherence.microsoft.com) | jiggawatts wrote: | The shameful thing about this is that I get "subdomain takeover" | warning emails from Azure on a regular basis. Microsoft has a ton | of automation around this for their customers already. | jmull wrote: | Don't click that red button... ;) | [deleted] | simlevesque wrote: | For what ? | lukew3 wrote: | Looks like it's been fixed. Here's the archived page: | https://web.archive.org/web/20230107222311/http://cseo-coher... | breakingcups wrote: | It's still working for me. Must be a DNS cache thing. | lukew3 wrote: | Maybe, it redirects me to https://redirect.microsoft when I | visit the link | shaicoleman wrote: | Old CNAME was pointing to microsoft.github.io. | | Now the CNAME is pointing to redirect-dns.msftdomains.com. | breakingcups wrote: | Wonder if there are any cookies that would be able to access.. | hsbauauvhabzb wrote: | By default cookies are scoped to the subdomain only, so while | not impossible some other domain would have to go out if it's | way to screw that up | 0xfffafaCrash wrote: | Isn't Truffle Security opening themselves up to litigation from | this? It's harmless, but is the risk of having Microsoft's army | of lawyers throw CFAA at you really worth this? | arkadiyt wrote: | > is the risk of having Microsoft's army of lawyers throw CFAA | at you really worth this? | | Microsoft has Safe Harbor. | jeffparsons wrote: | > [...] the risk of having Microsoft's army of lawyers throw | CFAA at you [...] | | Especially now that this has been on Hacker News, I don't think | even Microsoft is stupid enough to go on the offensive over | something like this. The bad press would be so much greater | than anything they have to gain. | [deleted] | PradeetPatel wrote: | Exactly, most PR professionals know about the damaging effect | of the Streisand effect. There are better ways to ensure this | isolated incident doesn't make it to the press, and deal with | the independent researchers accordingly for not going through | the proper channels. | rootusrootus wrote: | > is the risk of having Microsoft's army of lawyers throw CFAA | at you really worth this? | | Well, previously I'd never heard of Truffle Security, but now I | have. So ... maybe? | ericpauley wrote: | Security vulnerabilities due to resource reuse (subdomain | takeover is just one example of this) are rampant and readily | exploitable for tons of major companies, especially as cloud | providers and SaaS often overlook these as being client | responsibilities. | | Shameless plug, I've worked on identifying/characterizing these | issues on cloud providers: https://arxiv.org/pdf/2204.05122.pdf | | It's only a matter of time before adversaries become more | sophisticated at identifying and exploiting these in bulk. | zakki wrote: | I read 2 examples of the links provided in the archive.today. Is | this attack possible because the sub domain is provided by a | CDN/S3 (or public cloud in general)? What if it doesn't use any | CDN? just plain web server serving the site but no longer | available or the web server is down. | metadat wrote: | Is this an example of the attack in the wild? Or what did I just | view? | _s wrote: | Someone has added http://cseo-coherence.microsoft.com to their | CNAME file on Github Pages, as this domain's DNS entries were | already pointing to GitHub Pages. | | It's a subdomain takeover, but not as we would normally think | of it (getting access to the DNS settings and pointing them to | what we want) but from getting "access" to the server the | subdomain already points to. | metadat wrote: | p.s. archive snapshot in case the site gets taken down later: | https://archive.today/DEzVW | simlevesque wrote: | Congrats to https://trufflesecurity.com/ | | The email rejection's tone is weird. | demarq wrote: | I want to click the red button. | | so bad. | demarq wrote: | EDIT: I caved in | _s wrote: | Seems like it injects this script: | | https://nthitz.github.io/turndownforwhatjs/tdfw.js | | Which plays a youtube video? | zamadatix wrote: | The video is just for sound, the main amusement is it | scrambles the page in tune with the song. | m3h wrote: | It is harmless fun. | indigodaddy wrote: | I'd doubt MS agrees. | jugg1es wrote: | what a missed rick-roll opportunity | speedylight wrote: | It plays the song Turn Down for What and the whole page starts | shaking lol | [deleted] ___________________________________________________________________ (page generated 2023-01-08 23:00 UTC)