Hey Guys! So I have to accept that I’m a Huge Fan of Lamborghini Cars 👊
So as i Know and I hope most of You guys can recognize the ERROR^ so to be sure about the Subdomain Takeover Issue I checked the subdomain Both on http & https
If u find the error on Both Then the subdomain is Probably Vulnerable to Subdomain Takeover Vulnerability! So let me start from basics
A subdomain takeover is considered a high severity threat and boils down to the registration of a domain by somebody else (with bad intentions) in order to gain control over one or more (sub)domains. This presents an interesting attack vector, which can even lead to several high severity risks, like authentication bypass etc.
A service named ‘Work’ on your website which located at work.mysite.com hosted at third party like bitbucket, AWS Cloudfront or Heroku and the CNAME Points at this url mysiteasset2015.heroku.com , and this service is not used on heroku , you just decided to use it and it expired or you did not claim it before but you added a dns entry pointing to heroku , so an attacker can claim it , then when you visit assets.mysite.com you are redirected to attacker site on heroku or show Mac Content by the attacker.
So Back to the Story after confirming the Error on Both Http/Https i loged In to AWS account and Created a Bucket Named live.lamborghini.com and Uploaded an index.html file on it.
Now After that I visited Cloudfront Distribution options and created a New Cloudfront Distribution
I chooses the WEB option and In CNAME i added the link to the subdomain live.lamborghini.com
Next i simple Linked my Distribution to my S3 bucket and tadaaa, Your Subdomain is Now Mine 😛
What can be the RISK of this Vulnerability! Somebody can make a Scam page and Scam users for BTC or any other instance on behalf of Lamborghini as its on the official website!
I contacted Lamborghini Company about the issue As Soon as I got it & They act fastly to resolve the issue 🙂
Thanks for Reading!