[HN Gopher] Microsoft subdomain takeover
___________________________________________________________________
Microsoft subdomain takeover
Author : kailanb
Score : 146 points
Date : 2023-01-08 00:16 UTC (22 hours ago)
(HTM) web link (cseo-coherence.microsoft.com)
(TXT) w3m dump (cseo-coherence.microsoft.com)
| jiggawatts wrote:
| The shameful thing about this is that I get "subdomain takeover"
| warning emails from Azure on a regular basis. Microsoft has a ton
| of automation around this for their customers already.
| jmull wrote:
| Don't click that red button... ;)
| [deleted]
| simlevesque wrote:
| For what ?
| lukew3 wrote:
| Looks like it's been fixed. Here's the archived page:
| https://web.archive.org/web/20230107222311/http://cseo-coher...
| breakingcups wrote:
| It's still working for me. Must be a DNS cache thing.
| lukew3 wrote:
| Maybe, it redirects me to https://redirect.microsoft when I
| visit the link
| shaicoleman wrote:
| Old CNAME was pointing to microsoft.github.io.
|
| Now the CNAME is pointing to redirect-dns.msftdomains.com.
| breakingcups wrote:
| Wonder if there are any cookies that would be able to access..
| hsbauauvhabzb wrote:
| By default cookies are scoped to the subdomain only, so while
| not impossible some other domain would have to go out if it's
| way to screw that up
| 0xfffafaCrash wrote:
| Isn't Truffle Security opening themselves up to litigation from
| this? It's harmless, but is the risk of having Microsoft's army
| of lawyers throw CFAA at you really worth this?
| arkadiyt wrote:
| > is the risk of having Microsoft's army of lawyers throw CFAA
| at you really worth this?
|
| Microsoft has Safe Harbor.
| jeffparsons wrote:
| > [...] the risk of having Microsoft's army of lawyers throw
| CFAA at you [...]
|
| Especially now that this has been on Hacker News, I don't think
| even Microsoft is stupid enough to go on the offensive over
| something like this. The bad press would be so much greater
| than anything they have to gain.
| [deleted]
| PradeetPatel wrote:
| Exactly, most PR professionals know about the damaging effect
| of the Streisand effect. There are better ways to ensure this
| isolated incident doesn't make it to the press, and deal with
| the independent researchers accordingly for not going through
| the proper channels.
| rootusrootus wrote:
| > is the risk of having Microsoft's army of lawyers throw CFAA
| at you really worth this?
|
| Well, previously I'd never heard of Truffle Security, but now I
| have. So ... maybe?
| ericpauley wrote:
| Security vulnerabilities due to resource reuse (subdomain
| takeover is just one example of this) are rampant and readily
| exploitable for tons of major companies, especially as cloud
| providers and SaaS often overlook these as being client
| responsibilities.
|
| Shameless plug, I've worked on identifying/characterizing these
| issues on cloud providers: https://arxiv.org/pdf/2204.05122.pdf
|
| It's only a matter of time before adversaries become more
| sophisticated at identifying and exploiting these in bulk.
| zakki wrote:
| I read 2 examples of the links provided in the archive.today. Is
| this attack possible because the sub domain is provided by a
| CDN/S3 (or public cloud in general)? What if it doesn't use any
| CDN? just plain web server serving the site but no longer
| available or the web server is down.
| metadat wrote:
| Is this an example of the attack in the wild? Or what did I just
| view?
| _s wrote:
| Someone has added http://cseo-coherence.microsoft.com to their
| CNAME file on Github Pages, as this domain's DNS entries were
| already pointing to GitHub Pages.
|
| It's a subdomain takeover, but not as we would normally think
| of it (getting access to the DNS settings and pointing them to
| what we want) but from getting "access" to the server the
| subdomain already points to.
| metadat wrote:
| p.s. archive snapshot in case the site gets taken down later:
| https://archive.today/DEzVW
| simlevesque wrote:
| Congrats to https://trufflesecurity.com/
|
| The email rejection's tone is weird.
| demarq wrote:
| I want to click the red button.
|
| so bad.
| demarq wrote:
| EDIT: I caved in
| _s wrote:
| Seems like it injects this script:
|
| https://nthitz.github.io/turndownforwhatjs/tdfw.js
|
| Which plays a youtube video?
| zamadatix wrote:
| The video is just for sound, the main amusement is it
| scrambles the page in tune with the song.
| m3h wrote:
| It is harmless fun.
| indigodaddy wrote:
| I'd doubt MS agrees.
| jugg1es wrote:
| what a missed rick-roll opportunity
| speedylight wrote:
| It plays the song Turn Down for What and the whole page starts
| shaking lol
| [deleted]
___________________________________________________________________
(page generated 2023-01-08 23:00 UTC)