Domain hijacking
You’ve heard of subdomain hijacking before, right? But did you ever heard about “Domain hijacking”?
Domain hijacking is also similar as Subdomain hijacking, but here we are going to claim a unclaimed domain of the company.
Parked domain
These are the domain pages which are not currently claimed by any website but it’s a placeholder type page which points to some other websites. These are commonly set up by the domain registrars or some third parties. Parked domain shows that a domain is available to claim. And is a golden opportunity for hackers.
The bug
As i was going through the websites functionalities, I saw a referral link sharing feature. The application has a referral URL which is not of the same domain as the main website. (Whole another domain which sounds similar to the main one). I tried visiting the referral URL but it points to a *Parked domain*. Which means the domain is currently not owned by anyone.
To confirm this, I went to namecheap.com and i saw the domain is available for purchase. Since the domain is paid, I was not able to purchase it to demonstrate the impact. But i shown them something more impactful…
The application had a “Twitter” and “Facebook” button, which when pressed, It lets you post the referral URL to your Twitter/Facebook with a text like “Come join our companyXyz”. So I searched up the URL on twitter and i saw 100s of people posted it on their account. I used this screenshot to prove the impact to the company and they took it seriously.
If an attacker claims it, the company can do nothing with the already posted referral links. The company can then only change the newly generated referral URLs. And the only option is to claim the domain as fast as possible.
Impact
An attacker can claim the domain and can serve malicious content on the website pretending to be the company. Where the attacker can also impersonate the company and set up a fake subscription page where the users would purchase it unknowingly. This can leverage into a serious problem if not claimed by the company.
Conclusion
If you liked this, please clap for this article and follow me if you’d like to see more of my content❣️
