Home » Gadgets » Web Security: Orphan Domains as Security Risk

Web Security: Orphan Domains as Security Risk

Thursday, September 7th, 2017 | Gadgets

In the modern web, it is common for third party content to be loaded. Whether you include a Youtube video, use a Facebook button, or display a banner ad – in all these cases JavaScript code is usually loaded by third parties and executed in the context of a web page.

But what happens if the service, whose code is loaded here, sets the service? If the used domain is terminated, an attacker can exploit this – and simply register the orphan domain itself. This allows them to take control of websites that incorporate the appropriate script code.
To get an overview of this risk, the author of this text has performed a scan of the Alexa Top-1 Million List. All HTML tags with src attribute were checked to see if the domain retrieved there could be resolved.
An unresolved domain name is not a security risk, because in many cases the domain still belongs to the original owner, only the respective service has been set. This merely leads to the page construction being unnecessarily delayed slightly.
Flickr includes code from five years ago set service
Flickr, the Yahoo photo service, used a script from Yahoo Web Analytics. However, the Yahoo-own statistics service was discontinued already in 2012, the script and the associated subdomain is no longer there. For five years, no one seems to have noticed anything with Flickr. Since the associated domain was still owned by Yahoo, it was, as mentioned, not a security problem.

On a number of websites, there was code that included a script from a subdomain called piwiklionshare.azurewebsites.net – a subdomain of the Microsoft cloud service Azure. The subdomain was not registered with Azure. To get control of the domain, a free Azure testaccount.
A look at the logfiles revealed that about 20 different websites used this code. All of them were local newspapers from the USA. Most of the affected web pages were located on two neighboring IPs. This made it easier for the parties concerned to be informed. Although I received on a mail with a hint to the operator no answer, the corresponding Javascript code was however shortly after disappeared from almost all affected websites.
But one of the affected web pages – with the most traffic – still delivered javascript code from the subdomain, which is now owned by us: The Saline Courier, also a local newspaper. Several attempts to inform the newspaper itself or their editors about it were ignored. A dilemma, because forever I would not keep the subdomain of course and want to pay for it. But as soon as someone else uses this domain, the whole thing could become a security risk for the Saline Courier and its website visitors.
"Friendly defacement" to make contact
But, of course, I had another way to get in touch: Finally, I was able to run javascript code on the affected web page. So I decided for a "friendly defacement". The operation of the website was not directly disturbed, by means of a pink background and a yellow infobox, I told the visitors of the website that there is a security risk and the operator of the website should remove the appropriate javascript code.
This led to some panic reactions among the technically responsible persons. Shortly afterwards the CSS of the website was broken and the layout was destroyed. After that the page showed for a while only a PHP error message, only to appear shortly thereafter in the original state – along with my embedded javascript. But after a few hours, the page was back to normal and the javascript code was removed.
The most visited affected page has fixed the problem, but the corresponding Javascript code is still retrieved regularly. One can convince oneself of this on the website of Columbia Missourian, for example – each article has a link "Report an error", behind which a form hides, which still incorporates the javascript code in question. Despite a very penetrating warning, which I have now also added some sound, there no one there after several weeks.
Orphaned domains are usually registered quickly
There is some evidence that the examples we have found are only the tip of the iceberg of a larger problem. Because when domains are terminated it usually does not take long before someone else tries to regain the domains immediately.
An attacker who tries to gain control of as many websites as possible could search specifically for domains whose Javascript code is embedded by many pages and which are terminated.
For example, there are a number of pages that incorporate the code of a statistics service named Compete. The corresponding subdomain no longer exists, on the main domain compete.com there is a message that the service 2016 has stopped its service. Presumably, the domain is terminated or sold. Whoever owns them afterwards has the possibility to take control of numerous websites.
Hostile subdomain Takeover and other attack scenarios
The scenarios described are similar to other domain takeover attacks that have been described in more recent times. Under the name Hostlile subdomain Takeover is a scenario where companies use DNS CNAME entries to outsource the management of a subdomain to an external service. Examples of this are Github or Heroku.
If a corresponding CNAME entry is created and the service is then terminated again without the corresponding CNAME deleted, everyone can register the corresponding subdomain with Github or Heroku and control the contents. The same applies if the CNAME points to a domain that has been terminated.
The scenario may sound somewhat abstract, but there are always gaps. For example, a security researcher found numerous subdomains of Mozilla domains, which he could take over using Github.
Include Code: Also a question of trust
In general, one should always be aware that the inclusion of external javascript code or the issuing of control over individual subdomains can represent a security risk. Anyone who incorporates code from third parties must trust them to the extent that they do not exploit this in order to change the website, to deliver malware or to abuse this possibility in any other way.
Webmasters should at least know who they are allowed to run code on their own website. And if the appropriate service is discontinued, you should immediately remove the code.
An English language description of this vulnerability can be found in the author's blog.

Related

Bitcoin Price Increase

Bitcoin Price Increase General What is Bitcoin? Bitcoin is a consensus network that

Bitcoin Group - The Bitcoin Madness on t

From 49 euros up to 79 euros and then down to 51 euros,

Man shot in Mörfelden - shotgun on the

A man has been shot on a street in Mörfelden-Walldorf in southern Germany.

MotoGP Live Ticker Aragon: Fog Delays Wa

Hello at the MotoGP live ticker for the Grand Prix of Aragon. Today