Microsoft subdomain takeover (opens in new tab)

(cseo-coherence.microsoft.com)

271 pointskailanb3y ago66 comments

66 comments

Security vulnerabilities due to resource reuse (subdomain takeover is just one example of this) are rampant and readily exploitable for tons of major companies, especially as cloud providers and SaaS often overlook these as being client responsibilities.

Shameless plug, I’ve worked on identifying/characterizing these issues on cloud providers: https://arxiv.org/pdf/2204.05122.pdf

It’s only a matter of time before adversaries become more sophisticated at identifying and exploiting these in bulk.

hannob3y ago

As you plug this paper, I should point out that it's really bad behavior to not cite prior work. The original idea of subdomain takeover was by Frans Rosén: https://labs.detectify.com/2014/10/21/hostile-subdomain-take...

When your paper came out some media articles made it sound like you invented the method, as you didn't bother to cite the original finder.

I know, academics don't like to cite "gray literature". But that's really not ok.

ericpauley3y ago

This appears to be a case of differing convention and differing scope.

Our work isn’t fundamentally about just subdomain takeover, which has received substantial academic study (we cited multiple of these). Academic conference papers are highly space constrained, so it’s common to limit cites to seminal conference papers unless no such sources exist. In this case Liu et al. 2016 is the original academic cite and does cite the work you mention. The work you mention also specifically also deals with SaaS-related (not IP-related) subdomain takeover, which is a separate area that we don’t study in our work.

amitport3y ago

they have a page on background. Have you considered that there is no malintent?

idealmedtech3y ago

About to take a whack at reading your paper, but in plain programmer speak, can you explain a few ways this might be exploited in the wild?

ericpauley3y ago

Biggest finding is that adversaries can easily allocate many IPs on public clouds. From this, automated traffic analysis can find what we call latent configurations (e.g., subdomain takeover) and exploit these. For instance you could allocate cloud IPs to collect SNS messages with PII to phish people, or receive passwords or data intended for other sites.

More high-level description here: https://pauley.me/post/2022/cloud-squatting/

1 more reply

npteljes3y ago

Archive, because it has already been fixed by MS:

https://archive.ph/DEzVW

wyldfire3y ago

s/already been fixed/was eventually fixed when it showed up on HN/

simlevesque3y ago

Congrats to https://trufflesecurity.com/

The email rejection's tone is weird.

quotehelp18293y ago

What do you find weird in the tone? I find it succinct, confirming they were already aware of the issue and that they are already working on a (bulk) solution.

If it hadn't taken them almost a year and actual subdomain takeover to fix it, I might be inclined to believe them.

yongslang943y ago

absolute dumpster fire of a company

isjamesalive3y ago

Do you mean Truffle Security or Microsoft? Bonus points for any explanation (purely out of interest).

jiggawatts3y ago

The shameful thing about this is that I get "subdomain takeover" warning emails from Azure on a regular basis. Microsoft has a ton of automation around this for their customers already.

0xfffafaCrash3y ago

Isn’t Truffle Security opening themselves up to litigation from this? It’s harmless, but is the risk of having Microsoft’s army of lawyers throw CFAA at you really worth this?

blitzd3y ago

These takeovers are often just a case of finding stale DNS entries that are pointed at resources which can be re-allocated by third parties, i.e. elastic IP addresses on AWS. So it's very likely that the person had legit access to that IP, not their fault MS pointed a DNS entry at it when they did not control it.

0xfffafaCrash3y ago

Fair. I don’t think MS would have a great case in court, assuming the court was technically competent enough to understand the situation upon hearing the case, which is not an easy thing to assume, but I also think many applications of the CFAA (including e.g. the one against Aaron Swartz) also make little more sense when you get to the nuts and bolts of what actually happened. You don’t have to be in the wrong to be bankrupted by the costs of litigation against you from a corporation like Microsoft — not in the US justice system in any case.

Maybe I’m just risk averse here. I assume most of big tech with more legal weight than they know what to do with have about a 50/50 chance of having someone upstairs greenlighting legal to throw a tantrum even if it’s not in anyone’s best interests.

Maybe if this firm demonstrated an exploit of CORS headers elsewhere open to *.microsoft.com or something, they’d be on worse footing legally.

jeffparsons3y ago

> [...] the risk of having Microsoft’s army of lawyers throw CFAA at you [...]

Especially now that this has been on Hacker News, I don't think even Microsoft is stupid enough to go on the offensive over something like this. The bad press would be so much greater than anything they have to gain.

belter3y ago

Oracle enters the room...

PradeetPatel3y ago

Exactly, most PR professionals know about the damaging effect of the Streisand effect. There are better ways to ensure this isolated incident doesn't make it to the press, and deal with the independent researchers accordingly for not going through the proper channels.

1 more reply

rootusrootus3y ago

> is the risk of having Microsoft’s army of lawyers throw CFAA at you really worth this?

Well, previously I'd never heard of Truffle Security, but now I have. So ... maybe?

arkadiyt3y ago

> is the risk of having Microsoft’s army of lawyers throw CFAA at you really worth this?

Microsoft has Safe Harbor.

charcircuit3y ago

Tons of bug reporters already open themselves up to be hit by the CFAA.

metadat3y ago

Is this an example of the attack in the wild? Or what did I just view?

_s3y ago

Someone has added http://cseo-coherence.microsoft.com to their CNAME file on Github Pages, as this domain's DNS entries were already pointing to GitHub Pages.

It's a subdomain takeover, but not as we would normally think of it (getting access to the DNS settings and pointing them to what we want) but from getting "access" to the server the subdomain already points to.

metadat3y ago

p.s. archive snapshot in case the site gets taken down later: https://archive.today/DEzVW

nashashmi3y ago

I need to start thinking more critically about my passwords being stored on ms edge. Now!

These vulnerabilities are adding so much more fear to.life.

I just got done neutralizing lastpass. And that took a while. I started that back in September.

zelon883y ago

I'm not sure why you're being down voted so hard. You might be a little off topic, but not wrong.

I don't like the idea of consolidation. It's a bad security posture. People love to point out that "they" can secure your data better than you can, but always neglect to mention that a consolidated target has considerably more value. Credential theft results in compromised networks. If you host your own passwords, an attacker would have to start with access in order to steal credentials. If you put all your passwords on a 3rd party server that you can't audit, with millions of other passwords from millions of other customers, it's only a matter of time before they get leaked. In fact, it's almost guaranteed that it will leak, because the value of the prize is millions of times greater.

Why would I waste 3 months trying to hack one business to harvest credentials when I can spend 12 months hacking last pass to get a million passwords? It's a simple cost/ benefit calculation. And lazy administration to think anything different.

So go ahead, consolidate your whole business on infra you have no real authority over. The next major world conflict will result in 4 cloud providers being physically attacked with data centers destroyed and then you will be partly to blame when 90% of the free world's economy disappears overnight.

eyelidlessness3y ago

I got to see it in the wild, and it was magnificent. Glad they fixed it, for users I hope it was as holistic as they claimed it would be.

smileybarry3y ago

Now it's a different kind of broken as HTTP redirects to HTTPS and refuses to connect due to HSTS mismatch.

breakingcups3y ago

Wonder if there are any cookies that would be able to access..

hsbauauvhabzb3y ago

By default cookies are scoped to the subdomain only, so while not impossible some other domain would have to go out if it’s way to screw that up

philip12093y ago

If any cookie is scoped to `microsoft.com` - wouldn't this subdomain be able to access them?

2 more replies

AviationAtom3y ago

Looks like th subdomain hadn't been used in about two years:

https://web.archive.org/web/20190501000000*/http://cseo-cohe...

_trampeltier3y ago

Again?!? Here an article from 2020.

https://www.zdnet.com/article/microsoft-has-a-subdomain-hija...

2019: Microsoft loses control over Windows Tiles subdomain

https://www.zdnet.com/article/microsoft-loses-control-over-w...

1 more reply

zakki3y ago

I read 2 examples of the links provided in the archive.today. Is this attack possible because the sub domain is provided by a CDN/S3 (or public cloud in general)? What if it doesn't use any CDN? just plain web server serving the site but no longer available or the web server is down.

toast03y ago

Without a shared service like this one, you can also have this happen if you CNAME or NS to a different domain and that domain becomes controlled by someone else (for example, if it expires and is registered by a new person).

Also possible with A/AAAA records, if the IP becomes controlled by someone else, that's less likely if you're self hosted with IPs you were assigned directly by an IP registry, than if you're borrowing IPs from a service provider.

chollida13y ago

Can someone explain this? The link just 404's

davchana3y ago

Microsoft pointed abc.microsoft.com to GitHub pages through dns. That GitHub repo name was deleted; & eventually available back for anybody to get it. New user gets that repo name. Now new user publishes his content on that repo. Now if you type abc.microsoft.com you will see new user's content.

slaymaker19073y ago

TIL why aka.ms/whatever is used redirects instead of having the redirect service be on a *.microsoft.com domain. Besides being shorter, I assume that this greatly reduces the risk for subdomain takeover as aka.ms shouldn’t have any associated cookies.

mehrzad3y ago

Windows Store individual links don't seem to work for me. I have to search them up in the home page.

hoseja3y ago

Airtight hatchway guys!

lukew33y ago

Looks like it's been fixed. Here's the archived page: https://web.archive.org/web/20230107222311/http://cseo-coher...

breakingcups3y ago

It's still working for me. Must be a DNS cache thing.

lukew33y ago

Maybe, it redirects me to https://redirect.microsoft when I visit the link

shaicoleman3y ago

Old CNAME was pointing to microsoft.github.io.

Now the CNAME is pointing to redirect-dns.msftdomains.com.

demarq3y ago

I want to click the red button.

so bad.

speedylight3y ago

It plays the song Turn Down for What and the whole page starts shaking lol

andirk3y ago

While we were waiting for our friend in the ER (she's fine), one of us downloaded an app that was a giant red button like that one and that's all it played, TURN DOWN FOR WHAT! And you could press it a bunch so it's like "TTTT TTT TT URN URN DOWWN FFFOORR WHAT WHAT! The nurses enjoyed it

_s3y ago

Seems like it injects this script:

https://nthitz.github.io/turndownforwhatjs/tdfw.js

Which plays a youtube video?

zamadatix3y ago

The video is just for sound, the main amusement is it scrambles the page in tune with the song.

m3h3y ago

It is harmless fun.

jugg1es3y ago

what a missed rick-roll opportunity

1 more reply

indigodaddy3y ago

I’d doubt MS agrees.

demarq3y ago

EDIT: I caved in

jmull3y ago

Don't click that red button... ;)

simlevesque3y ago

For what ?

j / k navigate · click thread line to collapse

66 comments

ericpauley3y ago

Shameless plug, I’ve worked on identifying/characterizing these issues on cloud providers: https://arxiv.org/pdf/2204.05122.pdf

It’s only a matter of time before adversaries become more sophisticated at identifying and exploiting these in bulk.

hannob3y ago

When your paper came out some media articles made it sound like you invented the method, as you didn't bother to cite the original finder.

I know, academics don't like to cite "gray literature". But that's really not ok.

ericpauley3y ago

This appears to be a case of differing convention and differing scope.

amitport3y ago

they have a page on background. Have you considered that there is no malintent?

idealmedtech3y ago

About to take a whack at reading your paper, but in plain programmer speak, can you explain a few ways this might be exploited in the wild?

ericpauley3y ago

More high-level description here: https://pauley.me/post/2022/cloud-squatting/

1 more reply

npteljes3y ago

Archive, because it has already been fixed by MS:

https://archive.ph/DEzVW

wyldfire3y ago

s/already been fixed/was eventually fixed when it showed up on HN/

simlevesque3y ago

Congrats to https://trufflesecurity.com/

The email rejection's tone is weird.

quotehelp18293y ago

What do you find weird in the tone? I find it succinct, confirming they were already aware of the issue and that they are already working on a (bulk) solution.

If it hadn't taken them almost a year and actual subdomain takeover to fix it, I might be inclined to believe them.

yongslang943y ago

absolute dumpster fire of a company

isjamesalive3y ago

Do you mean Truffle Security or Microsoft? Bonus points for any explanation (purely out of interest).

jiggawatts3y ago

The shameful thing about this is that I get "subdomain takeover" warning emails from Azure on a regular basis. Microsoft has a ton of automation around this for their customers already.

0xfffafaCrash3y ago

Isn’t Truffle Security opening themselves up to litigation from this? It’s harmless, but is the risk of having Microsoft’s army of lawyers throw CFAA at you really worth this?

blitzd3y ago

0xfffafaCrash3y ago

Maybe if this firm demonstrated an exploit of CORS headers elsewhere open to *.microsoft.com or something, they’d be on worse footing legally.

jeffparsons3y ago

> [...] the risk of having Microsoft’s army of lawyers throw CFAA at you [...]

belter3y ago

Oracle enters the room...

PradeetPatel3y ago

1 more reply

rootusrootus3y ago

> is the risk of having Microsoft’s army of lawyers throw CFAA at you really worth this?

Well, previously I'd never heard of Truffle Security, but now I have. So ... maybe?

arkadiyt3y ago

> is the risk of having Microsoft’s army of lawyers throw CFAA at you really worth this?

Microsoft has Safe Harbor.

charcircuit3y ago

Tons of bug reporters already open themselves up to be hit by the CFAA.

metadat3y ago

Is this an example of the attack in the wild? Or what did I just view?

_s3y ago

Someone has added http://cseo-coherence.microsoft.com to their CNAME file on Github Pages, as this domain's DNS entries were already pointing to GitHub Pages.

metadat3y ago

p.s. archive snapshot in case the site gets taken down later: https://archive.today/DEzVW

nashashmi3y ago

I need to start thinking more critically about my passwords being stored on ms edge. Now!

These vulnerabilities are adding so much more fear to.life.

I just got done neutralizing lastpass. And that took a while. I started that back in September.

zelon883y ago

I'm not sure why you're being down voted so hard. You might be a little off topic, but not wrong.

eyelidlessness3y ago

I got to see it in the wild, and it was magnificent. Glad they fixed it, for users I hope it was as holistic as they claimed it would be.

smileybarry3y ago

Now it's a different kind of broken as HTTP redirects to HTTPS and refuses to connect due to HSTS mismatch.