A security researcher discovered a serious subdomain takeover vulnerability in the WordPress hosting platform Flywheel. The researcher found it an easily exploitable bug, posing a risk to website security. It remains unclear if Flywheel has addressed or plans to address this issue at any time.
Flywheel Subdomain Takeover Vulnerability
Elaborating his findings in a blog post, Ahmed Elmalky shared how exploiting a Flywheel vulnerability could allow subdomain takeover.
Flywheel is a managed WordPress hosting platform facilitating quick website building with inclusive management and security. The firm lists numerous big names in its clientele on its website.
Specifically, exploiting the bug merely requires an attacker to subscribe to Flywheel (costing $15 only) and create a website. Then, linking this site with the vulnerable Flywheel subdomain would allow gaining control of it. In the worst scenario, exploiting this flaw could even allow account takeovers.
Once done, the adversary could then execute numerous malicious activities on the target site. Describing the impact of this bug, the researcher stated in the post,
An attacker can use this misconfiguration to takeover the subdomain, publish arbitrary contents, run malicious javascript code at the user’s end, harvest credentials using phishing attack, deface a website, etc also steal the cookies of the user if cookies are scoped to the parent domain and escalate to account takeover.
Recommended Mitigations
The researcher discovered this vulnerability about two months ago. Regarding possible mitigation, he advises removing the unused subdomain from the DNS entry.
The DNS entry for the subdomain should be removed from DNS records if not in use.
However, it isn’t clear if the researcher informed Flywheel about this vulnerability and whether the vendors have patched or will patch the flaw.
Subdomain takeovers are common yet risky security flaws that attackers frequently exploit. Therefore, businesses should actively monitor their websites for such vulnerabilities to protect their site’s and customers’ integrity.
Let us know your thoughts in the comments.
Last modified: December 28, 2021