Buckhacker and Subdomain Takeover

Buckhacker Search Engine

A group of hackers developed an interesting Proof-of-Concept to highlight the problem of subdomain takeover on Amazon S3 Buckets. A bucket is a logical unit of storage in Amazon Web Services, Simple Storage Solution (S3) used to store objects consisting of data and related metadata.

The problem consists of a mix of incorrect design and misconfiguration (i.e. CNAME DNS record) that make possible for a hacker to take over a bucket previously owned by a Company and perform malicious actions like:

  • JavaScript Cryptomining
  • Cookies stealing with the sub.domain.tld scope
  • Sniffing for access to file
  • Serving malicious content
  • Phishing Attacks

A subdomain takeover is considered a high severity threat and boils down to the registration of a domain by somebody else in order to gain control over one or more (sub)domains.

The "buckhacker" search engine is currently offline at: www.buckhacker.com but has been tested during the period it was online. It allows to search for Amazon S3 Buckets using bucket name or by specific resource name (e.g. password, cryptocurrency, etc.). It also returns entries labeled as “Access Denied” and “The specified bucket does not exist", indicating that the specific bucket could be susceptible to subdomain takeover.

Tags per sicurezza: