top | item 24068858

Subdomain hack associated with a removed S3 bucket

14 points| holdenc | 5 years ago

tldr; If you delete an S3 bucket with a subdomain name, you need to delete the DNS record that points to it, or the missing bucket may be recreated by someone else, and used to host bad content at your subdomain.

Timeline:

- Received a message from Google Search Console that a new user has been verified for to-be-hacked.my-company.com.

- Looked in Google Search Console, but no new users exist. However, a new site map was submitted for: to-be-hacked.my-company.com/sitemap.xml This is filled with spam pages. The hacker apparently recreated the missing S3 bucket in their own account, and used this to verify the domain ownership with Google Search Console and then host the sitemap.xml filled with spam content. The spam content is also hosted in the bucket at to-be-hacked.my-company.com.

3 comments

gtsteve|5 years ago

Interesting, thanks. I guess I didn't consider it because I've never deleted a S3 bucket. We've got a few S3 buckets used in that way, I'll make sure our guys know never to delete them.

holdenc|5 years ago

Yeah, apparently it's a known vector: https://hackerone.com/reports/121461

k4ch0w|5 years ago

Very common attack. It's called a subdomain takeover.