Security Incident Report: subdomain takeover

On September 16th, an independent security researcher made contact with us via the email address and reported a security breach (subdomain takeover) affecting our DNS. We’ve promptly filed a low-risk security incident and have completed a remediation.

What happened

When using external services for hosting web applications (such as Github Pages, Netlify and so on), it is common to use a custom domain/subdomain in order to allow accessing the application. This is usually achieved by indicating which domain/subdomain will be used in the service provider and then adding a DNS record (type A or CNAME) pointing at a server or another domain/subdomain provided by the external service. This is also how the ownership of the custom domain is proved.

However, if the service is deleted from the external service provider, but the DNS record is left untouched, anyone can create a new service in this same provider, and use the same name and custom domain. This will result in a new web application deployed on the same domain/subdomain, which belongs to the old owner.

This is what happened with the domain, which had a web application served from GitHub pages hosted in a git repository. When the web application was no longer needed, the repository was archived and the application discontinued. However, the DNS record was not removed and thus allowed an attacker to take over the domain by creating a new github repository and using as the domain for that page.

Our actions

The DNS record has been removed, which was all that was necessary to resolve this issue. Furthermore, we’ve started a comprehensive audit of the DNS zones we currently administer in order to prevent similar incidents from happening again.

On behalf of Tendermint Inc. Engineering