Edward Wall

What is Subdomain Takeover?

Subdomain Takeover (or Subdomain Hijacking) is the act of taking control of a subdomain's content. It can occur when a subdomain which was using a third party service stops using the service but does not remove the DNS records pointing to the third party.

The Setup

You want to host a service on your website, maybe a blog or a shop. You might decide to use a service to run it for you. You create DNS records for your subdomain to point to the service and when the service receives a request from your subdomain they return your page.

When you want to stop using the service you might delete your account with the service, but you must also delete the DNS records pointing to the service.

If you do not, users requesting your subdomain will still get sent to the service, which will return an error because they do not have any accounts with your subdomain assigned to them. For example if the service is GitHub, you would see the following page.

GitHub error page showing "There isn't a GitHub Pages site here"

The Problem

There is nothing stopping me or anyone else from signing up with the service and claiming your subdomain. Services like this tend not to do any verficiation that you actually own the domain.

After doing this I can serve content from your subdomain. This means that I could take advantage of your website's reputation to spread malware or even redirect all traffic to your competitor.

The Solution

When using third party services you must be careful. When you stop using a service, simply deleting your account is not enough. You must also ensure that all DNS records pointing to the service are removed or changed.

Subdomain Takeover