CName Misconfiguration left thousands of companies open to attack

December 5, 2020
CName Misconfiguration Subdomain Hijack Abuse DNS

A recent web security scanning by a cybersecurity group confirmed that over 400,000 subdomains that have been abandoned are susceptible to malicious takeover invasion of many threat actors. According to the report, these abandoned subdomains result from misconfigured CName (canonical name) in the DNS layout of the hosting provider.

The CName configuration is widely used by hosting providers as an added security to hide the real domain of the registered websites in which it is displayed on the address bar of the browser. Unfortunately, these abandoned subdomains that a threat actor may re-register to any hosting provider can disguise as the official website of the company. However, it is already a controlled domain of an adversary. Once became active, threat actors can inject malicious codes that could result in many hacking issues such as phishing abuse and system intrusion. This can also lead to potential broken-link hijacking that can be used to potentially redirect the victim to different websites controlled by the threat actors.


Further on the report confirmed that most abandoned subdomains and CName records belonged to e-commerce companies that have been used for campaigns and promotional ads of the company.


Few percentages of which belong to technical forums and informational purposes sites. Researchers also verified that they also see some 200 government (.gov) and prominent universities (.edu) subdomains are on the list they have extracted from their scanning. Listed highlighted subdomains on the report mostly contains the word www, m (for mobile), shop, store, and blog.

Concerning the report, the researcher also discussed the impact of the current offer of Chrome that automatically hides such subdomains when using their browser. This would potentially aid adversaries on their intent to the deceived victim that they are accessing a legitimate website. Still, on the contrary, it is already a domain controlled by the threat actors. In Chrome defence, this is a feature they added for simplicity and usability of the browser. In addition, they have highlighted the security feature that it displayed the warning that the user is about to open an unsecured website and continuing to open the site will put them at risk.

The report was intentionally released to provide awareness of the possible chaotic result that may happen if this vulnerability has been entirely blown exploited by threat actors. A proper call out to the mentioned companies to review their online services as they may become a victim of such an unprecedented attack from the past. Fortunately, large companies with significant resources have already reported that they have been dealing with this vulnerability and have done many mitigation plans to either fully stop it or have an immediate remedy in case of an attack occurred. Luckily, the exploitation may not be that an easy task to any adversary, due to the reason that they will need to get permission from the registered owner before the abandoned subdomain can be reactivated. But still, it is always safe to say that prevention is better than cure.

About the author

Leave a Reply