USA.gov vulnerable to Subdomain takeover

When checking the USA.gov domain Sweepatic, a brand of Outpost24, discovered with their EASM platform a significant security gap which enabled us to take over their subdomain. Of course, we then secured it from hostile hackers and through coordination by the National CSIRT in the US we helped to make USA.gov aware of this significant security gap.

What would you say if one day you are visiting usa.gov and you’d see this screen:

Protected by Sweepatic screenshot

What are those fishes doing on the official USA Government Website?

Well, this actually happened! Through our reconnaissance platform we are able to do targeted queries and find suspicious domains. When checking the USA.gov domain we discovered a significant security gap which enabled us to take over their subdomain. Of course, we then secured it from hostile hackers and through coordination by the National CSIRT in the US we helped to make USA.gov aware of this significant security gap.

In this blog post we will explain and show to you what exactly happened and how you can protect your organization from those very “Subdomain Takeovers”. If you’re asking: what’s this?, here’s our blog post on the principles of a Subdomain Takeover. It covers, with great detail, how a takeover is done and of course how to take decrease vulnerability.

So what happened to usa.gov?

With our reconnaissance platform, we are able to search the internet for targeted queries. This enables us to spot suspicious Subdomains for any domain we are checking. In the USA.gov case, the suspicious subdomain was called api.usa.gov.

After an inspection by our expert hunters, we found it pointed to api-usa-gov.domains.api.data.gov using a CNAME DNS record.

This api-usa-gov.domains.api.data.gov has A records pointing to the GitHub infrastructure, but unfortunately the api.usa.gov subdomain is not registered in GitHub anymore. Consequently, the domain api.usa.gov can be registered by any attacker who in return will have full control over one of the USA.gov subdomains.

A vulnerable domain like this presents many options to an attacker. It is a perfect infrastructure for

  • Phishing
  • Malware spreading
  • Cookie extraction
  • “Man-in-the-browser” attacks
  • USA.gov brand damage

This makes it clear: a subdomain takeover represents and is considered a high risk.

How to protect/repair the domain?

In order to protect the domain, remove the CNAME record of this subdomain or point it elsewhere.

CNAME record of subdomain

As already mentioned above, our blog post on the principles of a Subdomain Takeover will explain all of this in more detail.

Responsible disclosure

After having secured the domain, we contacted the National CSIRT in the US, who coordinated the responsible disclosure to USA.gov. We believe this is a prime example collaboration between the private and public sector and governmental bodies. In the future, this collaboration will be crucial in order to ensure the best possible security in cyber space.

This was also confirmed at the 5th European Annual Cyber Security Conference in Brussels this year, as this exact collaboration was one of the major talking points in the agenda.

References

About the Author

Stijn Vande Casteele
Stijn Vande Casteele Founder of Sweepatic , Outpost24

With over 20 years of experience, Stijn is a seasoned entrepreneur and cyber security leader. He has worked with startups and enterprise organizations in both the private and public sectors, leveraging his industry knowledge and technical expertise to benefit all levels of the organization. Stijn holds the NATO/EU SECRET security clearance and is fluent in Dutch, French, and English.