Hi. I am a bug bounty hunter and I wanted to alert...
Description
Hi. I am a bug bounty hunter and I wanted to alert you to a potentially critical security vulnerability I have identified related to the linaro.org website.
Please find my report below:
High-Impact Subdomain Takeover
FQDN: www-admin.linaro.org IP address: 54.196.186.83
Overview of the Vulnerability
A subdomain takeover is when a misconfigured Domain Name System (DNS) record is re-registered to an endpoint owned by an attacker. An attacker is then able to redirect users to the endpoint and capture data such as cookies and credentials, perform Cross-Site Scripting (XSS) attacks, and potentially take over accounts in the legitimate application.
A high-impact subdomain takeover vulnerability was identified which could impact the reputation and brand of the business. An attacker can register a subdomain on behalf of the target domain and use it to create a HTML document with JavaScript payload that triggers a Cross-Site Scripting (XSS) attack. The target domain can also be used to create a scenario where an attacker can harvest user credentials by phishing users who then visit and login on a cloned version of a legitimate website.
You could imagine an attacker creating any sort of website using this subdomain, including phishing sites, ransomware attacks, hosting malware, distributing porn or illegal content such as copyrighted materials. You could also imagine an attacker creating any number of other NFT or DeFi scam web pages, all under your company banner.
Business Impact
High-Impact subdomain takeover could lead to data theft and indirect financial loss through the attacker’s ability to interact with legitimate users. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust.
Steps to Reproduce 1. Browse to the URL https://www-admin.linaro.org/proof.txt 2. You will see my name 3. Browse to the URL https://www.linaro.org/ and login and click around 4. Browse to the URL https://www-admin.linaro.org/cookie-thief.php 5. You will see the cookies an attacker could steal, and possibly use to compromise an account 6. Click the COOKIE BOMB button 7. Browse to the URL https://www.linaro.org/ 8. You will receive an error and not be able to access this site or anything related until you clear your cookies, resulting in DoS
Proof of Concept (PoC)
Screenshot attached.
Notice that the website has a valid SSL certificate, and a public record of its creation: https://crt.sh/?id=8216825965
Recommendations
The DNS A record for this subdomain should be removed. A comprehensive audit should be performed on all subdomains and all stale DNS entries should be removed.
You should consider creating a CAA record. Your main domain uses Cloudflare for SSL certificates. If you don't use Let's Encrypt anywhere, creating a CAA record would prevent an attacker from creating rogue SSL certificates and may thwart some attacks.
Hi. I am a bug bounty hunter and I wanted to alert you to a potentially critical security vulnerability I have identified related to the linaro.org website.
Please find my report below:
High-Impact Subdomain Takeover
FQDN: www-admin.linaro.org
IP address: 54.196.186.83
Overview of the Vulnerability
A subdomain takeover is when a misconfigured Domain Name System (DNS) record is re-registered to an endpoint owned by an attacker. An attacker is then able to redirect users to the endpoint and capture data such as cookies and credentials, perform Cross-Site Scripting (XSS) attacks, and potentially take over accounts in the legitimate application.
A high-impact subdomain takeover vulnerability was identified which could impact the reputation and brand of the business. An attacker can register a subdomain on behalf of the target domain and use it to create a HTML document with JavaScript payload that triggers a Cross-Site Scripting (XSS) attack. The target domain can also be used to create a scenario where an attacker can harvest user credentials by phishing users who then visit and login on a cloned version of a legitimate website.
You could imagine an attacker creating any sort of website using this subdomain, including phishing sites, ransomware attacks, hosting malware, distributing porn or illegal content such as copyrighted materials. You could also imagine an attacker creating any number of other NFT or DeFi scam web pages, all under your company banner.
Business Impact
High-Impact subdomain takeover could lead to data theft and indirect financial loss through the attacker’s ability to interact with legitimate users. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust.
Steps to Reproduce
1. Browse to the URL https://www-admin.linaro.org/proof.txt
2. You will see my name
3. Browse to the URL https://www.linaro.org/ and login and click around
4. Browse to the URL https://www-admin.linaro.org/cookie-thief.php
5. You will see the cookies an attacker could steal, and possibly use to compromise an account
6. Click the COOKIE BOMB button
7. Browse to the URL https://www.linaro.org/
8. You will receive an error and not be able to access this site or anything related until you clear your cookies, resulting in DoS
Proof of Concept (PoC)
Screenshot attached.
Notice that the website has a valid SSL certificate, and a public record of its creation: https://crt.sh/?id=8216825965
Recommendations
The DNS A record for this subdomain should be removed. A comprehensive audit should be performed on all subdomains and all stale DNS entries should be removed.
You should consider creating a CAA record. Your main domain uses Cloudflare for SSL certificates. If you don't use Let's Encrypt anywhere, creating a CAA record would prevent an attacker from creating rogue SSL certificates and may thwart some attacks.
Corrie Sloot
https://www.linkedin.com/in/corriesloot/
P.S. I have a hosting cost associated with this PoC website, so please respond as soon as you can so I can shut it down.
Reporter: Corrie Sloot
E-mail: corrie@sloot.ca