Subdomain Takeover Through Expired Cloudfront Distribution | live.lamborghini.com

Hey Guys! So I have to accept that I’m a Huge Fan of Lamborghini Cars 👊

So I was just looking at their website lamborghini.com when I decided to scan subdomains of the website 😛 and I found a Subdomain (live.lamborghini.com) that was showing an error Like

Cloudfront Error on live.lamborghini.com

So as i Know and I hope most of You guys can recognize the ERROR^ so to be sure about the Subdomain Takeover Issue I checked the subdomain Both on http & https

If u find the error on Both Then the subdomain is Probably Vulnerable to Subdomain Takeover Vulnerability! So let me start from basics

What Basically is Subdomain Takeover Vulnerability? 

A subdomain takeover is considered a high severity threat and boils down to the registration of a domain by somebody else (with bad intentions) in order to gain control over one or more (sub)domains. This presents an interesting attack vector, which can even lead to several high severity risks, like authentication bypass etc.

How it Works?

A service named ‘Work’ on your website which located at work.mysite.com hosted at third party like bitbucket, AWS Cloudfront or Heroku and the CNAME Points at this url mysiteasset2015.heroku.com , and this service is not used on heroku , you just decided to use it and it expired or you did not claim it before but you added a dns entry pointing to heroku , so an attacker can claim it , then when you visit assets.mysite.com you are redirected to attacker site on heroku or show Mac Content by the attacker.

So Back to the Story after confirming the Error on Both Http/Https i loged In to AWS account and Created a Bucket Named live.lamborghini.com and Uploaded an index.html file on it.

Bucket 

Now After that I visited Cloudfront Distribution options and created a New Cloudfront Distribution

I chooses the WEB option and In CNAME i added the link to the subdomain live.lamborghini.com

Next i simple Linked my Distribution to my S3 bucket and tadaaa, Your Subdomain is Now Mine 😛

What can be the RISK of this Vulnerability! Somebody can make a Scam page and Scam users for BTC or any other instance on behalf of Lamborghini as its on the official website!

I contacted Lamborghini Company about the issue As Soon as I got it & They act fastly to resolve the issue 🙂

 

Thanks for Reading!

About the Author

Muhammad Khizer Javed

Ethical Hacker, Bug Bounty Hunter/ Pentester & Gamer

3 thoughts on “Subdomain Takeover Through Expired Cloudfront Distribution | live.lamborghini.com

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: