Oops, you found a subdomain takeover. Should you be worried?
Dangling DNS records that allow for a subdomain takeover are nothing new. Auditing tools for pen testers like can-i-take-over-xyz have been around for years, while resources like MDN do a solid job trying to educate developers and operations teams about the issue.
As soon as we became aware of the issue, we advised to remove the DNS CNAME record. That stopped the bleeding but didn’t tell us what the malicious actor was up to.
Why did they bother doing a subdomain takeover? Did they potentially read cookies set from the top-level domain, perform cross-site scripting and circumvent content security policies (CSP), use the subdomain to bypass redirect whitelists, or…?
Given this was subdomain takeover of a GitHub Pages website, the full contents of the site was easy to find. Using the GitHub search function, we found the repository “tiodiatavo” owned by the GitHub user @stepard.
The repository had ~10,900 HTML files with Arabic content on a range of topics from recipes, computer equipment, visas, affiliate marketing, and Lorem Ipsum.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25544672/Jones_drives_the_solar_car_across_the_finish_line_at_the_Portofino_Hotel.jpg)
