Summary

Subdomain takeover was possible in some of the subdomains.  The CNAME entry in the subdomain is pointing to an external page service (fanfootballsony.s3-us-west-2.amazonaws.com).

Description

$ nslookup fan.football.sony.net 8.8.8.8
Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
Name:   fanfootballsony.s3-us-west-2.amazonaws.com
Address: 173.255.201.227

fan.football.sony.net
 -> fan.football.sony.net is an alias for fanfootballsony.s3-us-west-2.amazonaws.com.

The bucket name must be the same as the CNAME. So fan.football.sony.net/filename would be the same as fanfootballsony.s3-us-west-2.amazonaws.com/filename if a CNAME were created to map fan.football.sony.net to fanfootballsony.s3-us-west-2.amazonaws.com.

PoC:

http://fanfootballsony.s3-us-west-2.amazonaws.com/subdomaintakeover/index.html

Risk

• Fake website
• Malicious code injection
• Users tricking
• Company impersonation

Since the vulnerable subdomain is called signup , it’s a perfect place to create a fake login/subscribe page to steal users credentials. An attacker would post links on forums or send emails and then wait for people to signup on the site he owns.

Fix

You should immediately remove the DNS-entry for this domain or point it elsewhere if you don’t use that service.

EN | Sony Subdomain Takeover Berk İMRAN