(Press-News.org) The internet is full of dangers: Sensitive data can be leaked, malicious websites can allow hackers to access private computers. The Security & Privacy Research Unit at TU Wien in collaboration with Ca' Foscari University has now uncovered a new important security vulnerability that has been overlooked so far. Large websites often have many subdomains - for example, "sub.example.com" could be a subdomain of the website "example.com". With certain tricks, it is possible to take control of such subdomains. And if that happens, new security holes open up that also put people at risk who simply want to use the actual website (in this example: example.com).
The research team studied these vulnerabilities and also analysed how widespread the problem is: 50,000 of the world's most important websites were examined, and 1,520 vulnerable subdomains were discovered. The team was invited to the 30th USENIX Security Symposium, one of the most prestigious scientific conferences in the field of cybersecurity. The results have now been published online.
Dangling Records
"At first glance, the problem doesn't seem that bad," says Marco Squarcina from the Institute of Logic and Computation at TU Vienna. "After all, you might think that you can only gain access to a subdomain if you're explicitly allowed by the administrator of the website, but that's a mistake."
This is because often a subdomain points to another website that is physically stored on completely different servers. Maybe you own the website example.com and want to add a blog. You don't want to build it from scratch, but instead use an existing blogging service of another website. Therefore, a subdomain, such as blog.example.com, is connected to another site. "If you use the example.com page and click on the blog there, you won't notice anything suspicious," says Marco Squarcina. "The address bar of the browser shows the correct subdomain blog.example.com, but the data now comes from a completely different server."
But what happens if one day this link is no longer valid? Perhaps the blog is not needed anymore or it is relaunched elsewhere. Then the link from blog.example.com points to an external page that is no longer there. In this case, one speaks of "dangling records" - loose ends in the website's network that are ideal points of attack.
"If such dangling records are not promptly removed, attackers can set up their own page there, which will then show up at sub.example.com," says Mauro Tempesta (also TU Wien).
This is a problem because websites apply different security rules to different areas of the internet. Their own subdomains are typically considered "safe", even if they are in fact controlled from outside. For example, cookies placed on users by the main website can be overwritten and potentially accessed from any subdomains: in the worst case, an intruder can then impersonate another user and carry out illicit actions on their behalf.
Alarmingly common problem
The team composed by Marco Squarcina, Mauro Tempesta, Lorenzo Veronese,Matteo Maffei (TU Wien), and Stefano Calzavara (Ca' Foscari) investigated how common this problem is: "We examined 50,000 of the most visited sites in the world, discovering 26 million subdomains," says Marco Squarcina. "On 887 of these sites we found vulnerabilities, on a total of 1,520 vulnerable subdomains." Among the vulnerable sites were some of the most famous websites of all, such as cnn.com or harvard.edu. University sites are more likely to be affected because they usually have a particularly large number of subdomains.
"We contacted all the people responsible for the vulnerable sites. Nevertheless, 6 months later, the problem was still only fixed on 15 % of these subdomains," says Marco Squarcina. "In principle, it would not be difficult to fix these vulnerabilities. We hope that with our work we can create more awareness about this security threat."
INFORMATION:
Original publication
Further information and the original paper: canitakeyoursubdomain.name, opens an external URL in a new window
Contact
Prof. Matteo Maffei
Institute for Logic and Computation
TU Wien
Favoritenstraße 9-11, 1040 Vienna
+43 1 58801 184860
matteo.maffei@tuwien.ac.at
Dott. Marco Squarcina
Institute for Logic and Computation
TU Wien
Favoritenstraße 9-11, 1040 Vienna
+43 1 58801 192607
marco.squarcina@tuwien.ac.at
The exoplanet satellite hunter CHEOPS of the European Space Agency (ESA), in which the Instituto de Astrofísica de Canarias (IAC) is participating along with other European institutions, has unexpectedly detected a third planet passing in front of its star while it was exploring two previously known planets around the same star. This transit, according to researchers, will reveal exciting details about a strange planet "without a known equivalent".
The discovery is one of the first results of CHEOPS (CHaracterising ExOPlanet Satellite) and the first time that an exoplanet has been seen with a period longer than 100 days transiting a star which is sufficiently ...
Scientists of Tomsk Polytechnic University were able to obtain polytetrafluoroethylene (PTFE) membranes using electrospinning. PTFE is known to be the most stable existent polymer. According to the scientists, it is a simple, affordable and easily scalable method, which will allow obtaining chemically stable membranes in industrial-scale production. The membranes can be used in petrochemical, aerospace, nuclear industries, carbon-free energy and medicine.
The latest results of the research of physical and chemical properties and biocompatibility of the obtained membranes are published ...
The U.S. Food and Drug Administration's controversial decision to approve aducanumab for the treatment of Alzheimer's disease raises at least three major ethical issues that need to be addressed, states a new article in the Hastings Center Report:
Billions of dollars in Medicare resources (which is to say, taxpayer dollars) are at risk of being unjustly squandered.
Physicians must choose between facilitating this unjust squandering and denying desperate patients and families access to this drug.
Patients and families are having false hopes legitimated and encouraged when physicians prescribe aducanumab.
The drug's approval was contrary to the nearly unanimous judgment of an FDA advisory committee that there was little reliable evidence of significant ...
HOUSTON - (June 28, 2021) - Rice University computer scientists are sending RAMBO to rescue genomic researchers who sometimes wait days or weeks for search results from enormous DNA databases.
DNA sequencing is so popular, genomic datasets are doubling in size every two years, and the tools to search the data haven't kept pace. Researchers who compare DNA across genomes or study the evolution of organisms like the virus that causes COVID-19 often wait weeks for software to index large, "metagenomic" databases, which get bigger every month and are now measured in petabytes.
RAMBO, which is short for "repeated and merged bloom filter," is a new method that can cut indexing times for such ...
Neurons in the hippocampus fire during specific moments in time, according to research recently published in JNeurosci. The cells may contribute to memory by encoding information about the time and order of events.
Episodic memories involve remembering the "what, where, and when" of past experiences. The "where" may be encoded by place cells in the hippocampus, which fire in response to specific locations. Rodents have hippocampal neurons that fire in response to specific moments in time -- the "when" -- but until recently it was not known if the human brain contained them too.
Reddy et al. recorded the electrical activity of neurons in the hippocampus of epilepsy patients undergoing diagnostic invasive monitoring ...
In cancer therapy, the effectiveness of an approach is determined by its ability to preserve the non-cancerous cells. Simply put, the higher the collateral damage, the greater are the side-effects of a therapy. An ideal situation is where only the cancer cells can be targeted and destroyed. In this regard, photothermal therapy--an approach in which cancer cells infused with gold nanoparticles can be heated up and destroyed using near-infrared (NIR) light that is strongly absorbed by the gold nanoparticles--has emerged as a promising strategy due to its minimally invasive nature.
"Because NIR light is able to penetrate biological tissues, it can illuminate ...
The Structural Bioinformatics and Network Biology laboratory, led by ICREA Researcher Dr. Patrick Aloy, has completed the bioactivity information for a million molecules using deep machine-learning computational models. It has also disclosed a tool to predict the biological activity of any molecule, even when no experimental data are available.
This new methodology is based on the Chemical Checker, the largest database of bioactivity profiles for pseudo pharmaceuticals to date, developed by the same laboratory and published in 2020. The Chemical Checker collects information from 25 spaces of bioactivity for each molecule. These spaces are linked to the chemical structure of the molecule, the targets with which it interacts or the changes ...
For the first time, scientists from the German Cancer Consortium (DKTK) partner site in Essen/Düsseldorf have discovered stem cells of the hematopoietic system in glioblastomas, the most aggressive form of brain tumor. These hematopoietic stem cells promote division of the cancer cells and at the same time suppress the immune response against the tumor. This surprising discovery might open up new possibilities for developing more effective immunotherapies against these malignant brain tumors.
The DKTK is a consortium centered around the German Cancer Research Center (DKFZ) in Heidelberg, which has long-term collaborative partnerships with specialist oncological centers at universities across Germany.
Glioblastomas ...
Metabolic activators were found to reduce recovery time by as many as 3.5 days in patients with mild-to-moderate Covid-19, according to a Swedish-British study published today in Advanced Science.
The researchers also found that treatment with the metabolic activators improved liver health and decreased the levels of inflammation, as shown by inflammatory markers.
Conducted by researchers at Science for Life Laboratory at KTH Royal Institute of Technology in Stockholm, in collaboration with the Sahlgrenska Academy in Gothenburg and King's College, London, the ...
Want to have a happy relationship? Make sure both partners feel they can decide on issues that are important to them. Objective power measured by income, for example, doesn't seem to play a big role, according to a new study in the "Journal of Social and Personal relationships" by the Martin Luther University Halle-Wittenberg (MLU) and the University of Bamberg. Instead, how lovers perceive power dynamics in their relationship is most important for relationship satisfaction.
Power is about being able to influence people and successfully resist the attempts of others to influence you. "It sounds like a dog-eat-dog world or the world of business. ...
