vulnerable to Subdomain takeover

What would you say if one day you are visiting and you’d see this screen:


What are those fishes doing on the official USA Government Website??

Well, this actually happened! Through our reconnaissance platform we are able to do targetted queries and find suspicious domains. When checking the domain we discovered a significant security gap which enabled us to take over their subdomain. Of course, we then secured it from hostile hackers and through coordination by the National CSIRT in the US we helped to make aware of this significant security gap.

In this blog post we will explain and show to you what exactly happened and how you can protect your organization from those very “Subdomain Takeovers”. If you’re asking: what’s this?, here’s our blog post on the principles of a Subdomain Takeover. It covers, with great detail, how a takeover is done and of course how to take decrease vulnerability.

So what happened to

With our reconnaissance platform, we are able to search the internet for targetted queries. This enables us to spot suspicious Subdomains for any domain we are checking. In the case, the suspicious subdomain was called

After an inspection by our expert hunters, we found it pointed to using a CNAME DNS record.

This has A records pointing to the GitHub infrastructure, but unfortunately the subdomain is not registered in GitHub anymore. Consequently, the domain can be registered by any attacker who in return will have full control over one of the USA.go subdomains.

A vulnerable domain like this presents many options to an attacker. It is a perfect infrastructure for

  • Phishing
  • Malware spreading
  • Cookie extraction
  • “Man-in-the-browser” attacks
  • brand damage

This makes it clear: a subdomain takeover represents and is considered a high risk.

How to protect/repair the domain?

In order to protect the domain, remove the CNAME record of this subdomain or point it elsewhere.


As already mentioned above, our blog post on the principles of a Subdomain Takeover will explain all of this in more detail.

Responsible disclosure

After having secured the domain, we contacted the National CSIRT in the US, who coordinated the responsible disclosure to We believe this is a prime example collaboration between the private and public sector and governmental bodies. In the future, this collaboration will be crucial in order to ensure the best possible security in cyber space.

This was also confirmed at the 5th European Annual Cyber Security Conference in Brussels this year, as this exact collaboration was one of the major talking points in the agenda.


Stijn Vande Casteele

Read more posts by this author.