Segway Subdomain Takeover
During our research on the Segways’ domain space, we found a subdomain pointing to a third-party domain “pending for deletion” by its owner. Using a domain monitoring and backorder service, as soon as the third-party domain became available we got control over Segway’s subdomain.
According to responsible disclosure best practices, we provided Segway a detailed security advisory. This article is published after the security issue has been (silently) fixed by Segway.
Nowadays, companies’ online presence tend to be built upon third-party services. Instead of developing or deploying their own solutions, such as e-commerce or analytics, companies subscribe and integrate specialized services.
When a company (company.com) subscribes to such a service, features provided by the service tend to become available at company.someservice.com. Then, the integration with other services is accomplished using subdomains such as shop.company.com, pointing to the appropriate service address.
If, for some reason, the service is deprecated and the domain name abandoned (e.g. not renewed), anyone will be able to register the domain name again, getting control over all domains/subdomains pointing to it.
Usually, attackers take advantage of issues like this one to lure victims to visit fake websites. Since the website address is legit, victims will trust and visit the website. In such cases, attackers may be able to collect sensitive data, such as credit card details, or even takeover over users’ accounts.
This is exactly what happened with one of Segway’s subdomains. Initially, we found that distribution.segway.com was configured to point to segway.reportroi.com
At that time, the reportroi.com domain name was in the “redemption period”. Usually, the redemption period starts 30 days after a domain has reached its expiration date and lasts for another 30 days. During that time the domain can be renewed, but if that does not happen then it will become available, meaning that anyone will be able to buy it. After doing some reconnaissance, no references were found for the reportroi.com domain name. A single entry was found in Archive.org dated from 2016: at that time the domain was pointing to a web page showing a database connection error.
Based on Name Server and IP Address history we assumed that the domain was abandoned somewhere in time, leaving other domains pointing to it, vulnerable.
Since the “redemption period” was about to end, we decided to keep an eye on it. Using Godaddy’s monitoring and backorder service, if not renewed, the domain should be moved into our account as soon as it becomes available.
On August 18th, 2020 the domain status was changed from “clienthold redemptionperiod” to “clienthold pendingdelete” and a few days later it was added to our account. Owning reportroi.com allowed us to recreate the segway.reportroi.com subdomain, thus becoming in control of distribution.segway.com.
The security advisory provided to Segway includes a detailed attack scenario. Through a phishing campaign, attackers lure victims to visit distribution.segway.com website (controlled by attackers) where they could buy Segway products with great discounts. As you may expect, this way, attackers would get access to victims’ credit card details.
The video below is a working proof-of-concept that shows how successful such attacks can be.
We didn’t get any feedback from Segway, but after receiving our advisory distribution.segway.com DNS entry was deleted, what was enough to mitigate the issue.
Unfortunately, subdomain takeover is a quite common issue with a huge impact not only on companies’ reputations but also on their users. As general advice, companies relying on similar setups should monitor the domains/subdomains their DNS records point to so that they can prevent this type of incident.
If you’re curious about other technical details, please refer to Segway subdomain takeover technical report.
Events Timeline
- 2020/08/01 - Initial research on Segway’s domain space. reportroi.com monitoring and backorder configuration;
- 2020/08/18 - reportroi.com status changed from “clienthold redemptionperiod” to “clientholdpendingdelete”;
- 2020/08/20 - reportroi.com control transferred to Char49;
- 2020/08/28 - First contact attempt with Segway by email: no reply either from security or technical support;
- 2020/09/25 - Contact request via Segway’s Twitter;
- 2020/09/28 - Segway replies via Twitter with a contact email address;
- 2020/09/29 - Technical report and PoC sent to Segway provided email address;
- 2020/10/01 - Issue was fixed without further feedback;
- 2020/12/21 - Disclosure.