Wizcase hacktivist team led by Avishai Efrat has recently found a vulnerability on an American broadcasting and media company website, CBS Local. Due to a technical misconfiguration, the content of 3 subdomains owned by the site became unregistered and open for takeover. Such vulnerability can be easily exploited by cybercriminals to trick users and steal their personal data or used to attack them in various other ways.
Though the team has claimed and secured all 3 subdomains, CBS is still yet to respond to our messages and permanently remove the open mappings…
What’s Going On?
Subdomains are a prefix to a site address (URL) and are used by their parent (main) sites for technical or SEO-related reasons. So if a parent URL looks like www.parent.com, its subdomain could be found under www.subdomain.parent.com.
Subdomains are set up for various different reasons, such as testing new features before they’re added to their parent URL or to separate between different types of content. Unfortunately,
often times they become vulnerable to takeover due to several reasons, like DNS and hosting misconfigurations or expired settings.
Many main sites host their subdomains’ content through external services, like Amazon Web Services (AWS) or GitHub. It enables main sites to upload and manage their content independently through an external host. It’s a useful practice for the parent site (in this instance, CBS Local) to be a part of the subdomain and appear internal.
Despite the benefits that come with using external host services, it often leads to subdomains becoming abandoned if they’re not removed properly by their owner. That can happen if the parent site cancels the hosting service, but doesn’t remove the subdomain mapping. It could allow anyone who finds the mapped subdomain to get access and rights to manage the subdomain’s content without permission. This is known as a subdomain takeover — a dangerous practice, often used to distribute malware, exploit user data, or used for phishing, stealing cookies, and more.
Our team of cybersecurity experts discovered 3 vulnerable subdomains that used to host different CBS Local content — ESP Guide, Contest, and Privacy Offers. Through extensive research, we found out that each subdomain held different types of content. According to our research, contest.cbslocal.com was used as a placeholder for displaying information about contests held by the main site. It’s possible it was a part of the company’s marketing strategy. Meanwhile, espguide.cbslocal.com served as a CBS newsletter called “Eat. Sleep. Play.”
Finally, it seems that privacy.offers.cbslocal.com used to display CBS Local Privacy Policies. This last
subdomain poses the best opportunities for scams as its name seems like a genuine privacy-related website.
These subdomains point to URLs hosted on Amazon Simple Storage Service (S3) static website buckets. Unfortunately, the content of all 3 subdomains became unregistered at Amazon at some point while their content mapping remained active. This resulted in each site generating a “The specified bucket does not exist” error when approached. It’s a clear indication that a subdomain is vulnerable to takeover by anyone who comes across it. Read the Full Report
Wizcase experts have years of experience testing and evaluating cybersecurity tools and products. So you know you’re getting up-to-date and trustworthy recommendations. We value our readers, and we are dedicated to providing you with the information you need to be confident in and well-informed about your cybersecurity choices. Our articles and reviews are translated into 29 different
languages, so everyone can enjoy the same high-quality information.
We believe in transparency. Our reviews and opinions are not influenced by outside sources. We believe that our readers deserve straight-forward and honest information.