Subdomain takeover is a vulnerability that allows taking control of the subdomain.
Consider an example, subdomain.example.com is using some 3rd party service like (Heroku, Github Pages, Zendesk, Freshdesk, etc.)
so, this mapping is done using CNAME DNS Record
subdomain.example.com CNAME subdomain.cloud.com.
Later, Due to some reason, the company decided to STOP using that service.
But, The DNS Record still exists.
So, If someone visits
subdomain.example.com, It will show some Error page depending on
cloud.com. It may show that 404: Not Found Error or it may show
subdomain.cloud.com is available to register!
Now, the Attacker goes to
cloud.com and register
Then, because of DNS record is not deleted/updated,
subdomain.example.com will map to
Thus, the Attacker will have complete control over
An attacker can use this vulnerability to damage the image of the organization.
It can be used to bypass the
Cross-Origin Resource Sharing (CORS) Policy, which can lead to stealing data from an authenticated user on the main domain.
When subdomains have been waitlisted in Oauth configuration, Oauth token can be leaked.
- Remove or Update DNS Record if you stop using such external service.