WordPress

Popular WordPress platform Flywheel vulnerable to subdomain takeover – The Daily Swig

Summary

Malicious actors could wreak havoc by impersonating legitimate websites

A subdomain takeover vulnerability in a popular WordPress hosting platform could allow an attacker to deploy malicious code to a victim by impersonating a legitimate website.

The security flaw was discovered in Flywheel, a platform that offers WordPress hosting and related services.

Takeover

A subdomain takeover occurs when an at…….

Malicious actors could wreak havoc by impersonating legitimate websites

A subdomain takeover vulnerability in a popular WordPress hosting platform could allow an attacker to deploy malicious code to a victim by impersonating a legitimate website.

The security flaw was discovered in Flywheel, a platform that offers WordPress hosting and related services.

Takeover

A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain, usually when the subdomain has a canonical name (CNAME) in the Domain Name System (DNS), but no host is providing content for it.

“This can happen because either a virtual host hasn’t been published yet or a virtual host has been removed,” Ahmed Elmalky, who discovered the issue, told The Daily Swig.

“An attacker can take over that subdomain by providing their own virtual host and then hosting their own content for it. The visitor will have no clue if something bad happened because he [can] still access the legitimate domain.”

Using a subdomain takeover, attackers can send phishing emails from the legitimate domain, perform cross-site scripting (XSS) attacks, or even damage the reputation of the brand associated with the domain.

The exploit

In a blog post, Elmalky described how he was able to exploit the vulnerability by finding a page that was hosted by Flywheel but wasn’t set up correctly.

He subscribed to Flywheel for $15, created a site, and linked it to the vulnerable subdomain. Thus, he had taken it over.

“An attacker can use this misconfiguration to take over the subdomain, publish arbitrary content, run malicious JavaScript code at the user’s end, harvest credentials using phishing attack[s], deface a website… [and] steal the cookies of the user if cookies are scoped to the parent domain and escalate to account takeover,” Elmalky wrote.

The severity of the attack was listed as ‘high’.

The mitigation

In order to protect against this simple but severe attack, end users should audit available DNS records and make sure they are aware of how exactly they are used and what type of services or applications are managed on them, Elmalky told The Daily Swig.

He added: “Review your DNS entries and remove all entries which are active but no longer in use – especially those pointing to external services.

“Make sure to remove the stale CNAME record in the DNS zone file. Ensure your external services are configured to listen to your wildcard DNS.

“Don’t forget the ‘off-boarding’ – add ‘DNS entry removal’ to your checklist,” he continued. “When creating a new resource, make the DNS record creation the last step in the process to avoid it from pointing to a non-existing domain.

“Continuously monitor your DNS entries and ensure there are no dangling DNS …….

Source: https://portswigger.net/daily-swig/popular-wordpress-platform-flywheel-vulnerable-to-subdomain-takeover