American News Site’s Subdomains Left Open for Takeover

Reading time: 8 min

First published: Jul 9, 2020

Updated 2 times since publishing

Wizcase hacktivist team led by Avishai Efrat has recently found a vulnerability on an American broadcasting and media company website, CBS Local. Due to a technical misconfiguration, the content of 3 subdomains owned by the site became uned and open for takeover. Such vulnerability can be easily exploited by cybercriminals to trick s and steal their personal data or used to attack them in various other ways. Though the team has claimed and secured all 3 subdomains, CBS is still yet to respond to our messages and permanently remove the open mappings.

What’s Going On?

Subdomains are a prefix to a site address (URL) and are used by their parent (main) sites for technical or SEO-related reasons. So if a parent URL looks like www.parent.com, its subdomain could be found under www.subdomain.parent.com. Subdomains are set up for various different reasons, such as testing new features before they’re added to their parent URL or to separate between different types of content. Unfortunately, oftentimes they become vulnerable to takeover due to several reasons, like DNS and hosting misconfigurations or expired settings.

Many main sites host their subdomains’ content through external services, like Amazon Web Services (AWS) or GitHub. It enables main sites to and manage their content independently through an external host. It’s a useful practice for the parent site (in this instance, CBS Local) to be a part of the subdomain and appear internal.

Despite the benefits that come with using external host services, it often leads to subdomains becoming abandoned if they’re not removed properly by their owner. That can happen if the parent site cancels the hosting service, but doesn’t remove the subdomain mapping. It could allow anyone who finds the mapped subdomain to get access and rights to manage the subdomain’s content without permission. This is known as a subdomain takeover — a dangerous practice, often used to distribute malware, exploit data, or used for phishing, stealing cookies, and more.

Our team of cybersecurity experts discovered 3 vulnerable subdomains that used to host different CBS Local content — ESP Guide, Contest, and Privacy Offers. Through extensive research, we found out that each subdomain held different types of content. According to our research, contest.cbslocal.com was used as a placeholder for displaying information about contests held by the main site. It’s possible it was a part of the company’s marketing strategy. Meanwhile, espguide.cbslocal.com served as a CBS newsletter called “Eat. Sleep. Play.” Finally, it seems that privacy.offers.cbslocal.com used to display CBS Local Privacy Policies. This last subdomain poses the best opportunities for scams as its name seems like a genuine privacy-related website.

These subdomains point to URLs hosted on Amazon Simple Storage Service (S3) static website buckets. Unfortunately, the content of all 3 subdomains became uned at Amazon at some point while their content mapping remained active. This resulted in each site generating a “The specified bucket does not exist” error when approached. It’s a clear indication that a subdomain is vulnerable to takeover by anyone who comes across it.

Screenshot of XML file

Note: This error is generated only if the subdomain’s content is mapped to Amazon buckets. Other providers may display a different error message, depending on the subdomain’s host.

How Did This Happen and What Does It Mean for CBS s?

Despite the content being hosted on Amazon S3 buckets, it’s important to mention Amazon is not at fault here.

The vulnerabilities appeared because CBS Local didn’t cancel its existing content mapping but stopped using Amazon services. The 3 subdomain URLs were still working and ed on Amazon, therefore anyone could easily claim the buckets and control each subdomain.

Though the CBS Local website is visited regularly by millions of s, these subdomains seem to have been uned and empty for many years. The main website doesn’t link to any of them anymore, so it’s unlikely any CBS was browsing through them. However, it doesn’t decrease the risks involved with a subdomain takeover. These vulnerabilities could still pose a great threat to unsuspecting s.

The main threats that come from using hijacked subdomains include:

  • Phishing and scams: Very often, cybercriminals use a subdomain to create a duplicate of a well-known website to encourage s to input their personal data, credentials, or even payment details. Such information, complete with your website activity, can be utilized in creating seemingly trustworthy phishing emails. Claimed subdomains are also used to persuade unsuspecting visitors to malware or visit malicious websites.
  • Main site cloning: Using a clone of the subdomain’s main site can be used to gain s’ trust and trick them into entering their personal details without suspecting anything. Then their data is used for various, usually malicious, purposes. Alongside phishing and scams, it’s the biggest threat to data since it creates an easy way to deceive anyone who visits the hijacked subdomain.
  • Site defacement: Claimed subdomains allows anyone to various forms of static content to them. Unfortunately, due to lack of external control, it can include offensive or unsettling materials such as extremist religious views, political outlooks, or fake news.
  • Cookie data theft: Cookies are used to track and store online activity on both main sites and their subdomains. As cookies are often shared between the domain and its subdomains, hijacking a subdomain gives attackers easy access to all the cookie data collected. This increases the chances of creating successful phishing attempts, scams, or may even lead to identity theft. Although it’s not an active threat in this case (CBS Local and its subdomains weren’t configured to share cookies), cookie data theft is still a possible threat related to subdomain takeover.
  • Malicious online attacks: Through the use of cookies and scripts, attackers can monitor s’ activity on the hijacked subdomain. This knowledge can then be used to increase click-throughs to dangerous websites or encourage s to malware. On top of that, cybercriminals can hijack the main site by sending HTTP requests and running malicious Javascript on the subdomain.

It’s important to that all Amazon static websites (such as the vulnerable subdomains mentioned) don’t have any server-side capabilities. This means these sites don’t participate in any back-end processes, such as s and database communication. However, any static website can be used to redirect an unsuspecting to unsecure sites that collect such content. Alternatively, attackers can run malicious client side scripts using Javascript on the vulnerable domain.

Do I Need to Do Anything Now?

Our cybersecurity team successfully claimed and secured all 3 vulnerable subdomains. As a proof of concept (POC), they then ed unharmful static content to discourage hackers from hijacking them. As soon as these vulnerabilities were discovered, we also ed CBS Local. Once we receive a reply, we’ll be able to hand the subdomains over so they can be permanently removed.

Screenshot of Niezabezpieczona website

Even though these vulnerabilities are now secured, it’s very likely there are many other uned buckets like the CBS ones. News reports show that many big companies, like Microsoft, Amazon, and Apple, also had their subdomains hijacked. Unfortunately, in many instances, s’ credentials are stolen or misused as a result.

Luckily, you can still protect your personal information online and avoid having your data harvested.

Refrain from entering your personal details on any site without a secured HTTPS address. Make sure the site doesn’t display any certificate errors either. Should you come across a site or its subdomain with a suspicious HTTP address, avoid clicking on any pop-up ads or prompts. They can be infected with various types of malware or viruses, ready to be installed on your device with just one click.

to report anything suspicious as soon as you see it, including unusual emails or shady site functions. That way you will protect not only your own data but also prevent other s from being scammed.

For extra protection, install a trustworthy antivirus program and a VPN. They will add an additional layer of security to your device while protecting your online identity. You can even try many VPN providers for free for a certain period of time, completely risk-free! To learn more about how a VPN protects your online data, follow our VPN guide for beginners.

Why Should I Trust WizCase?

Translated in nearly 30 languages, WizCase is one of the leading websites concerning online freedom and internet safety. Our website helps people across the globe and gained thousands of regular readers very quickly. We regularly discover and report new data breaches and website vulnerabilities, such as unsecured servers on a popular culinary site.

Prior to publishing each report, we always the affected company to inform it about the existing issue. This ensures the leaks or any vulnerabilities can be secured to protect exposed data and s involved.

Although we’ve ed CBS Local multiple times to make them aware of the issue, we haven’t received a response yet. We hope that by publishing this report, we can encourage the company to secure the vulnerable subdomains themselves. Until then, our POC should prevent any hackers from trying to hijack the subdomains.

We review vendors based on rigorous testing and research, and also take into your and our commission with providers. Some providers are owned by our parent company.
Learn more

Wizcase was established in 2018 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, Intego and Private Internet Access which may be ranked and reviewed on this website. The reviews published on Wizcase are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into the technical capabilities and qualities of the product together with its commercial value for s. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Cyber Research Team
Written By Cyber Research Team
The WizCase Cybersecurity Research Team aims to investigate and uncover the latest threats on the internet. The global research team uses ethical hacking methods to shine a light on data breaches, privacy leaks, and security flaws within online communities and organizations.
Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!

We're thrilled you enjoyed our work!

As a valued reader, would you mind giving us a shoutout on Trustpilot? It's quick and means the world to us. Thank you for being amazing!

Rate us on Trustpilot
4.30 Voted by 3 s
Title
Comment
Thanks for your
Loader
Please wait 5 minutes before posting another comment.
Comment sent for approval.

Leave a Comment

Loader
Loader Show more...