Subdomain Takeover: The Vulnerability of Seizing an Abandoned Subdomain

Quick answer: Subdomain takeover is when a company's DNS record that points a subdomain (for example blog.yourcompany.com) to an external service is left dangling, and an attacker takes control of the subdomain by claiming that service in their own name. This typically happens as follows, a subdomain is pointed to a cloud service, hosting provider or marketing tool, then the account on that service is closed but the DNS record is forgotten. This now dangling record is open to anyone who claims the same service name. An attacker claims that name and takes the content under their control, and now publishes whatever they want on blog.yourcompany.com. The effects are severe, phishing on your domain, stealing visitors' cookies and brand abuse. The way to prevent it is to regularly audit dangling DNS records and to delete the DNS record of a service before closing it.

When thinking about a website the main domain is usually protected, but subdomains are often forgotten. Yet a company may have dozens of subdomains, blog, support, test, campaign, each pointed to a different service. These subdomains are the most overlooked part of the external attack surface. Subdomain takeover is a technical but common and dangerous vulnerability.

How the vulnerability arises

Subdomain takeover arises when a DNS record points to a service but that service no longer belongs to you. The typical scenario is this.

A company points the subdomain blog.yourcompany.com to a cloud hosting or marketing service. It does this with a DNS record (usually a CNAME record), so blog.yourcompany.com points to that service's address. Over time that service is no longer used and the company closes its account there. But it forgets to delete the DNS record. Now blog.yourcompany.com still points to that service, but there is no longer any content belonging to the company on that service, there is a dangling address.

This dangling record is the vulnerability. On most cloud services, whoever claims that name first controls the content. An attacker goes to the same service and claims the name the company left behind for their own account. Now blog.yourcompany.com shows the content the attacker placed, because DNS still points there.

Why it is dangerous, the effects

A seized subdomain gives the attacker the credibility of your brand, because the address really is your domain.

  • Credible looking phishing. The attacker publishes a fake login page on blog.yourcompany.com. Because the visitor sees your real domain they trust it and enter their information.
  • Cookie and session theft. If there are cookies shared between your main domain and subdomains, the seized subdomain can steal these cookies and endanger user sessions.
  • Brand abuse and malicious content. The attacker can publish unwanted, malicious or reputation damaging content in your name.
  • Pivot to other attacks. The seized subdomain can be used as a trusted source in other attacks.

This vulnerability is part of web application security, we covered the general web security audit in website security service and penetration testing and web application penetration testing, OWASP Top 10.

How to detect it

Whether a company is exposed to subdomain takeover is understood through an external attack surface audit. A security team lists all the domain's subdomains (subdomain discovery), checks which service each points to and verifies whether that service is really under your control. If a subdomain points to a service that no longer belongs to you, this is a subdomain takeover risk. This audit is a standard part of an external pentest or attack surface management, we also covered it in pentest process, price and when it is needed.

Step What is done
Subdomain discovery All subdomains of the domain are listed
Record analysis Which service each record points to is found
Ownership verification Whether that service is really yours is checked
Dangling record detection Records not owning the service are flagged
Cleanup Dangling records are deleted or reclaimed

How to prevent it

Prevention is simple but requires discipline. First, when closing an external service, also delete the DNS record pointing to it. Closing the service is not enough, the dangling record is exposed. Second, regularly audit your DNS records, clean up subdomains no longer in use. Third, continuously monitor your subdomains and attack surface, so you notice immediately when a new dangling record appears. In large organizations this is part of a continuous process called attack surface management.

Frequently Asked Questions

Does subdomain takeover only affect large companies? No. Every company accumulates subdomains it opened over time and forgot. On the contrary, small teams that do not track subdomains are more at risk.

My main domain is secure, what happens if my subdomain is seized? The subdomain is also your brand. If it is seized, the attacker phishes in your name, can steal cookies and damages your reputation. Visitors trust it because they see your real domain.

How do I know if I am exposed? You need to list all your subdomains and check which service each points to and whether that service is yours. This is an external attack surface audit.

What should I do if a subdomain has been seized? Immediately delete the dangling record or fix the record by reclaiming the service, then investigate whether an attack was carried out through that subdomain.

Sources

To audit your subdomains and external attack surface against subdomain takeover, contact DSET.