More than 60,000 Parked Domains Were Vulnerable to AWS Hijacking

 

MarkMonitor, a domain registrar, had left over 60,000 parked domains susceptible to domain hijacking.

MarkMonitor, now part of Clarivate, is a domain management firm that assists in establishing and protecting the online presence of the world's biggest brands - and the billions who use them. 

The parked domains were found referring to non-existent Amazon S3 bucket addresses, indicating a domain takeover vulnerability. 

Ian Carroll, a security engineer, and bug bounty hunter, saw his automation script flag hundreds of domains belonging to various businesses as exposed to domain hijacking earlier this week. After that, Carroll was joined by Nagli and d0xing, who assisted the engineer in tracing the origin of the security flaw. MarkMonitor was the registrar for all of the domains. 

A (sub)domain takeover arises when an unauthorized actor is permitted to deliver the content of their preference on a domain that they do not own or control. This can happen, for instance, if the domain name contains a canonical name (CNAME) DNS entry pointing to a host that doesn't provide any content for it. This generally occurs when the website hasn't been launched yet, or when the virtual host has been withdrawn from a hosting provider, but the domain's DNS records still link to the host. 

Carroll explained, "If testing.example.com is pointed towards Amazon S3, what will S3 do if that bucket hasn't been created yet? It will just throw a 404 error—and wait for someone to claim it. If we claim this domain inside S3 before example.com's owners do, then we can claim the right to use it with S3 and upload anything we want." 

The issue affected over 60,000 domains, lasted less than an hour

After Carroll emailed MarkMonitor's security contact, the researcher did not hear back. But, he noticed that the domains previously throwing S3 "bucket not found" errors gradually started showing the proper MarkMonitor landing page. 

"After I sent an email to security@markmonitor.com that went unacknowledged, domains stopped pointing to S3 over an hour after it began. I claimed over 800 root domains in this timeframe, and other researchers had similar amounts of claimed domains," added Carroll. 

Carroll's primary concern was that up to 62,000 domains parked at MarkMonitor could be compromised and exploited for phishing. 

BleepingComputer contacted both Amazon and MarkMonitor for further information, and received the following response from MarkMonitor's parent firm, Clarivate: 

"During a planned move of our parking page to the cloud, our DDoS protection vendor temporarily routed traffic in an unexpected manner for some domains using MarkMonitor's parking page service." 

"Neither live domains nor DNS were impacted. We take the protection of the domains entrusted to us – including parked domains – extremely seriously, and we work every day to make sure we are following the best security practices and guidelines." 

"This includes having active and static scanning, ongoing DNS monitoring, annual 3rd party penetration testing, and other security audits," added Clarivate spokesperson. 

As per MarkMonitor, the firm quickly reversed its DDoS vendor settings to send traffic to an internally-hosted web server's parked page as soon as the unexpected behavior was discovered. The whole detection, investigation, and remediation process took less than an hour. 

The registrar discovered no instances of harmful content being hosted for any parked page. Carroll responded to a question about what organizations may do to effectively protect themselves against domain takeover vulnerabilities: 

"Until cloud providers like Amazon move to prevent domain takeovers like this, companies need to be careful when pointing traffic to them, either via DNS records or otherwise," Carroll told BleepingComputer. 

The engineer stated in his blog post, "This issue is not entirely the fault of MarkMonitor. While they need to be careful with handling parked domains, AWS is at fault for not being more stringent with claiming S3 buckets. Google Cloud, for example, has required domain verification for years, rendering this [attack] useless." 

MarkMonitor spokesperson concluded, "We are also evaluating mechanisms to be alerted more quickly of any HTTP error responses from domains that are parked with our parking service, which may allow us to identify and react to unexpected behavior even more quickly in the future."