Subdomain Takeover is a type of vulnerability which appears when a DNS entry (subdomain) of an organization points to an External Service (ex. Heroku, Github, Bitbucket, Desk, Squarespace, Shopify, etc) but the service is no longer utilized or has been migrated/deleted. In this blog, we will be dissecting Uber Subdomain takeover vulnerability which was further escalated to authentication bypass of all ube subdomains.
For example, if subdomain.abc.com was pointing to a GitHub/Heroku/Desk page and the user decided to delete their GitHub/Heroku/Desk page, an attacker can now create a GitHub/Heroku/Desk page, add a CNAME file containing subdomain.abc.com, and claim subdomain.abc.com..
There has been quite a few instances when uber has faced the subdomain takeover attacks.
Some Instances Of Subdomain TakeOver
1- Subdomain takeover on rider.uber.com due to non-existent distribution on Cloudfront
Reported by :Frans Rosén (fransrosen)
Disclosed publicly on : December 13, 2016 5:18am +0530
To Know More : Click Here
2 – Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com
Reported by: Arne Swinnen (arneswinnen)
Disclosed publicly on : July 13, 2017 6:13am +0530
To Know More : Click Here
We will be analysing “Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com” here.
According to Security researcher Arne Swinnen, Uber was vulnerable to subdomain takeover attack on their subdomain saostatic.uber.com via Amazon CloudFront CDN. Also, Uber has deployed Single Sign-On system (SSO) at auth.uber.com, which was based on shared cookies between all *.uber.com subdomains, and was vulnerable to session cookie theft by any compromised *.uber.com subdomain.
Therefore, the impact of the subdomain takeover could be increased to Authentication Bypass of Uber’s SSO system, causing access to all *.uber.com subdomains protected by it (e.g. riders.uber.com, vault.uber.com, partners.uber.com, etc).
Subdomain Takeover
Subdomain Takeover is a type of vulnerability which appears when a DNS entry (subdomain) of an organization points to an External Service (ex. Heroku, Github, Bitbucket, Desk, Squarespace, Shopify, etc) but the service is no longer utilized ( i.e. has been deleted or migrated).
For example, if subdomain.abc.com was pointing to a GitHub/Heroku/Desk page and the user decided to delete their GitHub/Heroku/Desk page, an attacker can now create a GitHub/Heroku/Desk page, add a CNAME file containing subdomain.abc.com, and claim subdomain.abc.com.
In Uber’s case, Subdomain saostatic.uber.com was pointing to Amazon Cloudfront CDN via a DNS CNAME.
However, the hostname “saostatic.uber.com” was not claimed by anymore on Cloudfront, resulting in a Cloudfront error page when visiting the subdomain before the takeover. As you can see in below snapshot.
So, a new Amazon Cloudfront CDN endpoint was created and linked to an attacker-controlled origin server.
For the new Cloudfront CDN endpoint, “saostatic.uber.com” was designated as hostname successfully. This allowed to fully takeover this domain. As you can see in below snapshot that “saostatic.uber.com” is showing the content hosted by Arne Swinnen, who has hijacked this subdomain and reported to Uber responsibly.
Reference:
https://www.arneswinnen.net/2017/06/authentication-bypass-on-ubers-sso-via-subdomain-takeover/
https://www.zdnet.com/article/uber-patches-security-flaw-leading-to-subdomain-takeover/