Subdomain takeover in https://cdn.masa.finance

[sofyanmoch]

Vulnerability Details :

A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain. Typically, this happens when the subdomain has a canonical name (CNAME) in the Domain Name System (DNS), but no host is providing content for it. This can happen because either a virtual host hasn't been published yet or a virtual host has been removed. An attacker can take over that subdomain by providing their own virtual host and then hosting their own content for it.

If an attacker can do this, they can potentially read cookies set from the main domain, perform cross-site scripting, or circumvent content security policies, thereby enabling them to capture protected information (including logins) or send malicious content to unsuspecting users.

Domain Affected :

• https://masa-express-boilerplate.masa.finance/
• https://cdn.masa.finance/

Steps To Reproduce :

• Visit https://cdn.masa.finance/

Reference :

• https://hackerone.com/reports/2085260
• https://hackerone.com/reports/1183296
• https://infosecwriteups.com/fastly-subdomain-takeover-2000-217bb180730f

Severity :

High (based on here https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2)

Impact:

Your company is engaged in crypto. It will be a problem when the attacker can do :

• Impersonate pages for phishing (steal credential or fake airdrop), to change the actual content of the docs (e.g. replace blocks of code that users can copy but harm users), from your trusted site. Your users will believe, and feel harmed.
• Moreover, the attacker does not need to bother campaigning the subdomain that has been taken over to your users, because it can take advantage of existing backlinks, just waiting for victims!

In addition: Malware distribution You lose your reputation.

Solutions :

For a long-term solution to prevent domain takeover :

• Remove dns record affected
• Conduct periodic audits of your DNS records to identify and remove any entries that are no longer necessary or in use. This reduces the attack surface and potential vulnerabilities.

Screenshot

[mudler]

@sofyanmoch thanks for the report and I can confirm this bug, looks like an oversight - this is something we are already looking at.

[sofyanmoch]

@mudler hi, I've reported it via email to help@masa.finance since 4th of July. but there was no reply . My email is aondaop@gmail.com

[5u6r054]

These CNAMEs are now removed.

[5u6r054]

@mudler @Luka-Loncar -- we should make a new ticket, maybe a "chore" - to go through all our domains and audit the rest of the CNAMEs; there are many more that are not in use and could conceivably be targeted this way.

[sofyanmoch]

Hi, after check again this issue has been solved

[mudler]

Seems solved now - closing. Thanks @sofyanmoch for the report