A subdomain takeover vulnerability in a popular WordPress hosting platform could allow an attacker to deploy malicious code to a victim by impersonating a legitimate website.
The security flaw was discovered in Flywheel, a platform that offers WordPress hosting and related services.
Takeover
A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain, usually when the subdomain has a canonical name (CNAME) in the Domain Name System (DNS), but no host is providing content for it.
“This can happen because either a virtual host hasn’t been published yet or a virtual host has been removed,” Ahmed Elmalky, who discovered the issue, told The Daily Swig.
“An attacker can take over that subdomain by providing their own virtual host and then hosting their own content for it. The visitor will have no clue if something bad happened because he [can] still access the legitimate domain.”
Using a subdomain takeover, attackers can send phishing emails from the legitimate domain, perform cross-site scripting (XSS) attacks, or even damage the reputation of the brand associated with the domain.
The exploit
In a blog post, Elmalky described how he was able to exploit the vulnerability by finding a page that was hosted by Flywheel but wasn’t set up correctly.
He subscribed to Flywheel for $15, created a site, and linked it to the vulnerable subdomain. Thus, he had taken it over.
“An attacker can use this misconfiguration to take over the subdomain, publish arbitrary content, run malicious JavaScript code at the user’s end, harvest credentials using phishing attack[s], deface a website… [and] steal the cookies of the user if cookies are scoped to the parent domain and escalate to account takeover,” Elmalky wrote.
The severity of the attack was listed as ‘high’.
The mitigation
In order to protect against this simple but severe attack, end users should audit available DNS records and make sure they are aware of how exactly they are used and what type of services or applications are managed on them, Elmalky told The Daily Swig.
He added: “Review your DNS entries and remove all entries which are active but no longer in use – especially those pointing to external services.
“Make sure to remove the stale CNAME record in the DNS zone file. Ensure your external services are configured to listen to your wildcard DNS.
“Don’t forget the ‘off-boarding’ – add ‘DNS entry removal’ to your checklist,” he continued. “When creating a new resource, make the DNS record creation the last step in the process to avoid it from pointing to a non-existing domain.
“Continuously monitor your DNS entries and ensure there are no dangling DNS records.”
The researcher, from US-based cyber threat intelligence company Resecurity, also said that in his work he has seen “several campaigns by threat actors and hacking groups actively leveraging this flaw”.
Elmalky explained: “They create fake websites using legitimate subdomains (A-records) of well-known organizations and deploy their malicious code or phishing content or other harmful scenarios to attack the end users.”
The Daily Swig has reached out to Flywheel but did not receive a reply. This article will be updated if and when we do.
