October 10, 2017
Share

Subdomain Takeover Through Expired Cloudfront Distribution | live.lamborghini.com

by

Hey Guys! So I have to accept that I’m a Huge Fan of Lamborghini Cars 👊

So I was just looking at their website lamborghini.com when I decided to scan subdomains of the website 😛 and I found a Subdomain (live.lamborghini.com) that was showing an error Like

Cloudfront Error on live.lamborghini.com

So as i Know and I hope most of You guys can recognize the ERROR^ so to be sure about the Subdomain Takeover Issue I checked the subdomain Both on http & https

If u find the error on Both Then the subdomain is Probably Vulnerable to Subdomain Takeover Vulnerability! So let me start from basics

What Basically is Subdomain Takeover Vulnerability? 

A subdomain takeover is considered a high severity threat and boils down to the registration of a domain by somebody else (with bad intentions) in order to gain control over one or more (sub)domains. This presents an interesting attack vector, which can even lead to several high severity risks, like authentication bypass etc.

How it Works?

A service named ‘Work’ on your website which located at work.mysite.com hosted at third party like bitbucket, AWS Cloudfront or Heroku and the CNAME Points at this url mysiteasset2015.heroku.com , and this service is not used on heroku , you just decided to use it and it expired or you did not claim it before but you added a dns entry pointing to heroku , so an attacker can claim it , then when you visit assets.mysite.com you are redirected to attacker site on heroku or show Mac Content by the attacker.

So Back to the Story after confirming the Error on Both Http/Https i loged In to AWS account and Created a Bucket Named live.lamborghini.com and Uploaded an index.html file on it.

Bucket 

Now After that I visited Cloudfront Distribution options and created a New Cloudfront Distribution

I chooses the WEB option and In CNAME i added the link to the subdomain live.lamborghini.com

Next i simple Linked my Distribution to my S3 bucket and tadaaa, Your Subdomain is Now Mine 😛

What can be the RISK of this Vulnerability! Somebody can make a Scam page and Scam users for BTC or any other instance on behalf of Lamborghini as its on the official website!

I contacted Lamborghini Company about the issue As Soon as I got it & They act fastly to resolve the issue 🙂

 

Thanks for Reading!

Discover more from Security Breached Blog

Subscribe to get the latest posts sent to your email.

Tags:

MuhammadKhizerJaved

Dedicated and seasoned cybersecurity professional with over 8 years of active engagement in Bug Bounty Hunting, complemented by 4 years of experience as a Penetration Tester. Skilled in web and mobile application security testing and vulnerability assessment, I am actively involved in platforms like HackerOne and Bugcrowd. My contributions in the Bug Bounty arena have been recognized by over 200 reputable organizations, including Apple, Google, Facebook, The Government of Singapore, and The US Department of Defense. As an advocate for community growth, I actively contribute as a speaker, conducting sessions in local universities and presenting talks at various security conferences, both locally and internationally, including twice at BlackHat MEA, With a passion for growth, Always happy to connect with fellow security practitioners.

11 replies on “Subdomain Takeover Through Expired Cloudfront Distribution | live.lamborghini.com”

    • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    You may also like