An oversight from Starbucks exposed one of its subdomains to takeover threat, which could be further leveraged in attacks against customers and the company.
A security researcher found that a Starbucks subdomain had a DNS pointer to an Azure cloud host that had been abandoned. The problem is that anyone registering the cloud host would receive data intended for the subdomain.
Active CNAME record to blame
The error consisted in leaving active for the subdomain "datacafe-cert.starbucks.com" a CNAME (canonical name) record that pointed to an abandoned resource on Azure with the name "s00397nasv101-datacafe-cert.azurewebsites.net."
By claiming the Azure resource name, an attacker could use the Starbucks subdomain to carry out cross-site scripting (XSS) and session hijacking attacks, since the same-origin policies (SOP) would have no effect.
Receiving the data from a legitimate subdomain is a valuable asset that could also be used in phishing attacks or to distribute malware.
Electronic Arts made the same mistake a while ago, allowing security experts at Check Point and CyberInt to leverage it in account takeover attack, disclosed towards the end of June.
This sort of security issue often occurs after a company runs a marketing campaign and forgets to clean the DNS records when it's over. It can also happen when testing things before the production stage.
Minimum effort for maximum impact
The issue was discovered on August 1 by Parzel, a Berlin-based hacker, and reported to Starbucks through its bug bounty program on HackerOne platform. The company paid a reward of $2,000 for the private disclosure of the oversight.
Parzel discovered the problem by enumerating various subdomains for the domain starbucks.com and searched for those with a CNAME record that mapped to an Azure host.
The researcher explains the subsequent steps in the takeover process:
"For every domain that matched I performed a DNS query for the CNAME record entry. If this returns a NXDOMAIN, the subdomain can usually be taken over and it is possible to register a domain that matches the NXDOMAIN CNAME entry."
To prevent malicious use, Parzel registered a service on Azure using the name mapped to the Starbucks subdomain.
A couple of days after the private report, Parzel saw that the CNAME record had been removed and released the Azure name. The Starbucks subdomain is no longer active.
This seems to be a recurring issue with Starbucks as the company a little over a year ago paid another $2,000 to a researcher reporting the same type of problem with a different subdomain. That report was also through HackerOne.
Comments
Memberx - 4 years ago
The title should read Starbucks abandoned Azure Site......
Your headline make it seems as if there is a vulnerability in Azure that exposed Starbucks data.
chilinux - 4 years ago
"The title should read Starbucks abandoned Azure Site......
Your headline make it seems as if there is a vulnerability in Azure that exposed Starbucks data."
The fact Azure allows new customers to re-use the same exact app service name as a previous customer helps to make this attack possible. Given that it seems common place for the A record to be hidden behind a CNAME, there should be no reason that the A record couldn't be an auto-assigned 32 character string that is never re-used. If that was the case then stale CNAME records to azurewebsites.net should be benign.
So, an example of the azurewebsites.net reuse problem was the ea-invite-reg.azurewebsites.net could be selected by EA and then later by Check Point and CyberInt.
But what if EA's app service was automatically named 6be9d0e03833ca95c73cc8775f9460fc.azurewebsites.net
The purpose for which EA would use the app service would not change, they would point the CNAME of eaplayinvite.ea.com to it regardless of if they picked the name or they got an automatic assignment.
Then lets say Check Point attempted 1 quadtrillion app services in attempts to get the same exact name that EA previously used assigned, they still would have only scratched the surface of number of unique auto-assigned names. Ultimately, EA poor DNS management would be shielded by the theoretical Azure automatic A record assignment.
So, if the headline makes it sound like there is a vulnerability in Azure, then maybe that is a good thing. It may not seem like a classic technical vulnerability but it is a policy vulnerability that Azure could address if they selected to.