Forgotten subdomains boost risk of account hijacking, other attacks

Subdomains that once served a purpose but later were forgotten by website administrators can be abused by hackers to attack users of sites under the same main domain.

Back in October, a Web security firm called Detectify warned that many companies have created subdomains to use with third-party services, such as remotely hosted helpdesk systems, code repositories and blogs, but then forgot to disable them after closing their accounts on those third-party services.

As a result, attackers can now open accounts with the same services, claim the subdomains pointed there as their own, and create credible phishing pages, the Detectify researchers explained at the time. This is possible because online services often don’t verify the ownership of subdomains.

To read this article in full or to leave a comment, please click here