Microsoft subdomain takeover
cseo-coherence.microsoft.comSecurity vulnerabilities due to resource reuse (subdomain takeover is just one example of this) are rampant and readily exploitable for tons of major companies, especially as cloud providers and SaaS often overlook these as being client responsibilities.
Shameless plug, I’ve worked on identifying/characterizing these issues on cloud providers: https://arxiv.org/pdf/2204.05122.pdf
It’s only a matter of time before adversaries become more sophisticated at identifying and exploiting these in bulk.
As you plug this paper, I should point out that it's really bad behavior to not cite prior work. The original idea of subdomain takeover was by Frans Rosén: https://labs.detectify.com/2014/10/21/hostile-subdomain-take...
When your paper came out some media articles made it sound like you invented the method, as you didn't bother to cite the original finder.
I know, academics don't like to cite "gray literature". But that's really not ok.
This appears to be a case of differing convention and differing scope.
Our work isn’t fundamentally about just subdomain takeover, which has received substantial academic study (we cited multiple of these). Academic conference papers are highly space constrained, so it’s common to limit cites to seminal conference papers unless no such sources exist. In this case Liu et al. 2016 is the original academic cite and does cite the work you mention. The work you mention also specifically also deals with SaaS-related (not IP-related) subdomain takeover, which is a separate area that we don’t study in our work.
they have a page on background. Have you considered that there is no malintent?
About to take a whack at reading your paper, but in plain programmer speak, can you explain a few ways this might be exploited in the wild?
Biggest finding is that adversaries can easily allocate many IPs on public clouds. From this, automated traffic analysis can find what we call latent configurations (e.g., subdomain takeover) and exploit these. For instance you could allocate cloud IPs to collect SNS messages with PII to phish people, or receive passwords or data intended for other sites.
More high-level description here: https://pauley.me/post/2022/cloud-squatting/
That's so interesting! Giving me an idea for a side project that I'm sure has been done many times before :)
Archive, because it has already been fixed by MS:
s/already been fixed/was eventually fixed when it showed up on HN/
Congrats to https://trufflesecurity.com/
The email rejection's tone is weird.
What do you find weird in the tone? I find it succinct, confirming they were already aware of the issue and that they are already working on a (bulk) solution.
If it hadn't taken them almost a year and actual subdomain takeover to fix it, I might be inclined to believe them.
absolute dumpster fire of a company
Do you mean Truffle Security or Microsoft? Bonus points for any explanation (purely out of interest).
The shameful thing about this is that I get "subdomain takeover" warning emails from Azure on a regular basis. Microsoft has a ton of automation around this for their customers already.
Isn’t Truffle Security opening themselves up to litigation from this? It’s harmless, but is the risk of having Microsoft’s army of lawyers throw CFAA at you really worth this?
These takeovers are often just a case of finding stale DNS entries that are pointed at resources which can be re-allocated by third parties, i.e. elastic IP addresses on AWS. So it's very likely that the person had legit access to that IP, not their fault MS pointed a DNS entry at it when they did not control it.
Fair. I don’t think MS would have a great case in court, assuming the court was technically competent enough to understand the situation upon hearing the case, which is not an easy thing to assume, but I also think many applications of the CFAA (including e.g. the one against Aaron Swartz) also make little more sense when you get to the nuts and bolts of what actually happened. You don’t have to be in the wrong to be bankrupted by the costs of litigation against you from a corporation like Microsoft — not in the US justice system in any case.
Maybe I’m just risk averse here. I assume most of big tech with more legal weight than they know what to do with have about a 50/50 chance of having someone upstairs greenlighting legal to throw a tantrum even if it’s not in anyone’s best interests.
Maybe if this firm demonstrated an exploit of CORS headers elsewhere open to *.microsoft.com or something, they’d be on worse footing legally.
> [...] the risk of having Microsoft’s army of lawyers throw CFAA at you [...]
Especially now that this has been on Hacker News, I don't think even Microsoft is stupid enough to go on the offensive over something like this. The bad press would be so much greater than anything they have to gain.
Oracle enters the room...
Exactly, most PR professionals know about the damaging effect of the Streisand effect. There are better ways to ensure this isolated incident doesn't make it to the press, and deal with the independent researchers accordingly for not going through the proper channels.
The researchers did go through the proper channels, and were ignored.
Would you feel the same way if it was your computer? Maybe you didn't believe the reported issue was real.
Actually I would. They forced MS to fix a serious vulnerability (useful for fishing at the very least) by pulling a harmless stunt.
What do you mean "your computer"? They didn’t do anything to Microsoft’s computer. Or am I misunderstanding something?
> Maybe you didn't believe the reported issue was real
Then you should still check to make sure the issue isn't there.
> is the risk of having Microsoft’s army of lawyers throw CFAA at you really worth this?
Well, previously I'd never heard of Truffle Security, but now I have. So ... maybe?
> is the risk of having Microsoft’s army of lawyers throw CFAA at you really worth this?
Microsoft has Safe Harbor.
Tons of bug reporters already open themselves up to be hit by the CFAA.
Is this an example of the attack in the wild? Or what did I just view?
Someone has added http://cseo-coherence.microsoft.com to their CNAME file on Github Pages, as this domain's DNS entries were already pointing to GitHub Pages.
It's a subdomain takeover, but not as we would normally think of it (getting access to the DNS settings and pointing them to what we want) but from getting "access" to the server the subdomain already points to.
p.s. archive snapshot in case the site gets taken down later: https://archive.today/DEzVW
I need to start thinking more critically about my passwords being stored on ms edge. Now!
These vulnerabilities are adding so much more fear to.life.
I just got done neutralizing lastpass. And that took a while. I started that back in September.
I'm not sure why you're being down voted so hard. You might be a little off topic, but not wrong.
I don't like the idea of consolidation. It's a bad security posture. People love to point out that "they" can secure your data better than you can, but always neglect to mention that a consolidated target has considerably more value. Credential theft results in compromised networks. If you host your own passwords, an attacker would have to start with access in order to steal credentials. If you put all your passwords on a 3rd party server that you can't audit, with millions of other passwords from millions of other customers, it's only a matter of time before they get leaked. In fact, it's almost guaranteed that it will leak, because the value of the prize is millions of times greater.
Why would I waste 3 months trying to hack one business to harvest credentials when I can spend 12 months hacking last pass to get a million passwords? It's a simple cost/ benefit calculation. And lazy administration to think anything different.
So go ahead, consolidate your whole business on infra you have no real authority over. The next major world conflict will result in 4 cloud providers being physically attacked with data centers destroyed and then you will be partly to blame when 90% of the free world's economy disappears overnight.
I got to see it in the wild, and it was magnificent. Glad they fixed it, for users I hope it was as holistic as they claimed it would be.
Now it's a different kind of broken as HTTP redirects to HTTPS and refuses to connect due to HSTS mismatch.
Wonder if there are any cookies that would be able to access..
By default cookies are scoped to the subdomain only, so while not impossible some other domain would have to go out if it’s way to screw that up
If any cookie is scoped to `microsoft.com` - wouldn't this subdomain be able to access them?
Ideally those cookies would also be httponly, so it's harder to get at them
I’ll preface this with the acknowledgement that httponly is misunderstood by many, but it won’t change anything:
HttpOnly only prevents session theft as you cannot read the cookie, but you can still use it. you can still perform actions by sending AJAX requests with cookies attached.
In a subdomain takeover you receive cookies on all requests, you can view these irrespective of httponly unless you are limited to controlling html and js of the subdomain (which I think is true of GitHub static sites).
HttpOnly is largely a failed mitigation, modern SPAs require access to JWT tokens which compounds that; the solution is to focus on appropriate scoping (to prevent subdomain hijacks having such implications) and preventing XSS.
yes, if the domain parameter of the cookie is explicitly set.
Looks like th subdomain hadn't been used in about two years:
https://web.archive.org/web/20190501000000*/http://cseo-cohe...
Again?!? Here an article from 2020.
https://www.zdnet.com/article/microsoft-has-a-subdomain-hija...
2019: Microsoft loses control over Windows Tiles subdomain
https://www.zdnet.com/article/microsoft-loses-control-over-w...
I read 2 examples of the links provided in the archive.today. Is this attack possible because the sub domain is provided by a CDN/S3 (or public cloud in general)? What if it doesn't use any CDN? just plain web server serving the site but no longer available or the web server is down.
Without a shared service like this one, you can also have this happen if you CNAME or NS to a different domain and that domain becomes controlled by someone else (for example, if it expires and is registered by a new person).
Also possible with A/AAAA records, if the IP becomes controlled by someone else, that's less likely if you're self hosted with IPs you were assigned directly by an IP registry, than if you're borrowing IPs from a service provider.
Can someone explain this? The link just 404's
Microsoft pointed abc.microsoft.com to GitHub pages through dns. That GitHub repo name was deleted; & eventually available back for anybody to get it. New user gets that repo name. Now new user publishes his content on that repo. Now if you type abc.microsoft.com you will see new user's content.
TIL why aka.ms/whatever is used redirects instead of having the redirect service be on a *.microsoft.com domain. Besides being shorter, I assume that this greatly reduces the risk for subdomain takeover as aka.ms shouldn’t have any associated cookies.
Windows Store individual links don't seem to work for me. I have to search them up in the home page.
Airtight hatchway guys!
Looks like it's been fixed. Here's the archived page: https://web.archive.org/web/20230107222311/http://cseo-coher...
It's still working for me. Must be a DNS cache thing.
Maybe, it redirects me to https://redirect.microsoft when I visit the link
Old CNAME was pointing to microsoft.github.io.
Now the CNAME is pointing to redirect-dns.msftdomains.com.
I want to click the red button.
so bad.
It plays the song Turn Down for What and the whole page starts shaking lol
While we were waiting for our friend in the ER (she's fine), one of us downloaded an app that was a giant red button like that one and that's all it played, TURN DOWN FOR WHAT! And you could press it a bunch so it's like "TTTT TTT TT URN URN DOWWN FFFOORR WHAT WHAT! The nurses enjoyed it
Seems like it injects this script:
https://nthitz.github.io/turndownforwhatjs/tdfw.js
Which plays a youtube video?
The video is just for sound, the main amusement is it scrambles the page in tune with the song.
It is harmless fun.
what a missed rick-roll opportunity
It is possible that there can be divided in to 2 groups the people in this world: 1 who's first thought given this opportunity is to rick roll the eff outa the situation, and another group that for some reason wouldn't.
I’d doubt MS agrees.
EDIT: I caved in
Don't click that red button... ;)
For what ?