Researchers Hijack Over 2,000 Subdomains From Legitimate Sites in CloudFront Experiment

Faybert

Faybert

Level 24
Thread author
Verified
Top Poster
Well-known
Jan 8, 2017
1,320
Content source
https://www.bleepingcomputer.com/news/security/researchers-hijack-over-2-000-subdomains-from-legitimate-sites-in-cloudfront-experiment/
Security experts from MindPoint Group, an information security firm, have hijacked over 2,000 subdomains from legitimate websites while researching possible security flaws in Amazon's CloudFront CDN service.
Experts found that CloudFront's CDN routing mechanism that linked a site's domain and subdomains to a specific server contained a flaw that allowed attackers to point misconfigured subdomains to their own endpoint instead, effectively hijacking the subdomain from legitimate CloudFront users.
Custom script hijacks over 2,000 official subdomains
MindPoint security analyst Matt Westfall coded and deployed a proof-of-concept Python script that automatically scanned CloudFront domains and hijacked vulnerable subdomains, pointing the servers to a demo page he created.
Westfall says he hijacked over 2,000 subdomains over the period of a few days just by using his script. Some of the most high-profile subdomains belonged to companies such as the Red Cross, Bloomberg, Reuters, Dow Jones, Harvard, University of Maryland, the Commonwealth Bank of Australia, and two US government agencies.
.....
.....
.....
Click to expand...
 
  • Like
Reactions: Daviworld, Mariihh, silversurfer and 3 others
upnorth

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Hi Matt and warm welcome to MT!
AWS has deemed that this is not a vulnerability in the CloudFront service.
Click to expand...
Did they explain a bit more about there reson for that conclusion? Sounds odd IMO as you wrote that the CloudFront team themself did acknowledge the issue.
 
disloops

disloops

New Member
Apr 5, 2018
2
Thanks!

To use CloudFront, a user points their domain at a unique endpoint that CloudFront assigns to a specific distribution (ex. d111111abcdef8.cloudfront.net). However, a request to that domain can arrive at a totally different CloudFront distribution with another endpoint. The unique endpoints are effectively meaningless because CloudFront only uses the HOST header of the request to determine which distribution to serve content from. That seems to be the issue that causes the most potential for takeover, but it is not something AWS considers a strict vulnerability.
 
Last edited by a moderator:
  • Like
Reactions: Daviworld, harlan4096 and upnorth
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Wow
    • Like
    • +Reputation
Security News SubdoMailing campaign spams 5 million emails daily via 8k hijacked domains
Replies
0
Views
1,491
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Sandbox Breaker
    • Like
    • Applause
AWS SSM Agent can be used as a RAT
Replies
0
Views
1,430
News Archive
Sandbox Breaker
Sandbox Breaker
LASER_oneXM
    • Like
GoDaddy takes down 15,000 subdomains used for online scams
Replies
2
Views
1,543
News Archive
SumTingWong
SumTingWong

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top