Summary by Nickguitar
.
Subdomain Takeover on annualmeeting2022.globe.gov
Disclosed by Nickguitar- Engagement National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program
- Disclosed date about 2 years ago
- Priority P3 Bugcrowd's VRT priority rating
- Status Resolved This vulnerability has been accepted and fixed
Report details
-
Submitted
-
Target Location
https://globe.gov/ -
Target category
Web App
-
VRT
Server Security Misconfiguration > Misconfigured DNS > Basic Subdomain Takeover -
Priority
P3 -
Bug URL
https://annualmeeting2022.globe.gov/ -
Description
Basic Subdomain Takeover
Overview of the Vulnerability
A subdomain takeover is when a misconfigured Domain Name System (DNS) record is re-registered to an endpoint owned by an attacker. An attacker is then able to redirect users to the endpoint and capture data such as cookies and credentials, perform Cross-Site Scripting (XSS) attacks, and potentially take over accounts in the legitimate application.
A subdomain takeover vulnerability was identified and successfully exploited on annualmeeting2022.globe.gov. The vulnerable subdomain was found to be pointed to us-east-1.galaxy-ingress.meteor.com, a domain associated with Meteor's hosting service. By registering an account on Meteor for $1 and deploying an application, I was able to serve arbitrary content on annualmeeting2022.globe.gov.
Business Impact
Subdomain takeover could lead to data theft and indirect financial loss through the attacker’s ability to interact with legitimate users. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. This vulnerability allows an attacker to serve arbitrary content, phishing pages, or malicious software through a trusted domain, potentially compromising the security and trust of visitors. It is also possible to perform XSS attacks to steal auth cookies from other subdomains.
Steps to Reproduce
- Browse to the URL
https://annualmeeting2022.globe.gov - You will see a PoC text with my BugCrowd username (Nickguitar)
Proof of Concept (PoC)
The following screenshot show the success of a subdomain takeover:
The affected domain was pointing to a Meteor URL no longer in use
Deploying application to the specified Meteor URL
Application successfully deployed in the specified URL
I have now control of the contents of the page shown in the subdomain.
- Browse to the URL