Subdomain Takeover Through Expired Cloudfront Distribution | live.lamborghini.com
Hey Guys! So I have to accept that I’m a Huge Fan of Lamborghini Cars 👊
So I was just looking at their website lamborghini.com when I decided to scan subdomains of the website 😛 and I found a Subdomain (live.lamborghini.com) that was showing an error Like
So as i Know and I hope most of You guys can recognize the ERROR^ so to be sure about the Subdomain Takeover Issue I checked the subdomain Both on http & https
If u find the error on Both Then the subdomain is Probably Vulnerable to Subdomain Takeover Vulnerability! So let me start from basics
What Basically is Subdomain Takeover Vulnerability?
A subdomain takeover is considered a high severity threat and boils down to the registration of a domain by somebody else (with bad intentions) in order to gain control over one or more (sub)domains. This presents an interesting attack vector, which can even lead to several high severity risks, like authentication bypass etc.
How it Works?
A service named ‘Work’ on your website which located at work.mysite.com hosted at third party like bitbucket, AWS Cloudfront or Heroku and the CNAME Points at this url mysiteasset2015.heroku.com , and this service is not used on heroku , you just decided to use it and it expired or you did not claim it before but you added a dns entry pointing to heroku , so an attacker can claim it , then when you visit assets.mysite.com you are redirected to attacker site on heroku or show Mac Content by the attacker.
So Back to the Story after confirming the Error on Both Http/Https i loged In to AWS account and Created a Bucket Named live.lamborghini.com and Uploaded an index.html file on it.
Now After that I visited Cloudfront Distribution options and created a New Cloudfront Distribution
I chooses the WEB option and In CNAME i added the link to the subdomain live.lamborghini.com
Next i simple Linked my Distribution to my S3 bucket and tadaaa, Your Subdomain is Now Mine 😛
What can be the RISK of this Vulnerability! Somebody can make a Scam page and Scam users for BTC or any other instance on behalf of Lamborghini as its on the official website!
I contacted Lamborghini Company about the issue As Soon as I got it & They act fastly to resolve the issue 🙂
Thanks for Reading!
Discover more from Security Breached Blog
Subscribe to get the latest posts sent to your email.
[…] Subdomain Takeover Through Expired Cloudfront Distribution | live.lamborghini.com. To Read More … Click here […]
[…] Lamborghini Subdomain Takeover Through Expired Cloudfront Distribution Muhammad Khizer Javed […]
[…] Lamborghini Subdomain Takeover Through Expired Cloudfront Distribution by Muhammad Khizer Javed […]
that method still work ??
bro now still that method work….??? i mean cloudfront subdomain takeover possible????
No not anymore
Did u recieved a bounty ?
Nop
[…] Subdomain Takeover Through Expired Cloudfront Distribution | live.lamborghini.com. To Read More … Click here […]
Amazing catch Bro
[…] BlogPost related to This https://blog.securitybreached.org/2017/10/10/subdomain-takeover-lamborghini-hacked/ […]