It’s Friday, I’m picking up chicken sliders on my extra long lunch break. A push notification from Gmail: Search Console - A New Owner Has Been Added to Your Web Property… What’s going on? Has my Google Account been hacked?!
12 Months Prior to the Incident
I buy a domain on Cloudflare (for privacy, I’ll call it testsite.com
) and I create a public AWS S3 bucket to point to my simple static website that’s built using Next.js (static HTML export).
I have a simple DNS CNAME record pointing www -> to my public S3 bucket hosted at www.testsite.com.s3-website.us-east-2.amazonaws.com
.
I’m able to reach my bucket via my domain, everything is great.
I connect my site to Google Search Console using DNS verification (I believe it is a DNS TXT record)
1 Month Prior
I grow old of this site and the whopping $1.50 it costs to host it on AWS (heh).
So I do the sane thing, I delete the bucket at www.testsite.com.s3-website.us-east-2.amazonaws.com
to save that $1.50 (‘cuz ya know, inflation and all..gotta pinch those pennies!)
When I navigate to my domain I get the usual Origin Not Found
error from Cloudflare. I’ve successfully taken down my website, I turn off auto renewal on my domain so it can find a new owner (sad to see it go!)
Fast Forward to Today
I get a push notification from Gmail, a new owner has been added to your site: testsite.com
.
I’m freaking out, has my Google Account been compromised. I immediately logout of all sessions besides my current session on my cell phone.
In a hurry, I navigate to my orphaned site at www.testsite.com
expecting to see nothing. Lo and Behold, there it is…your classic run of the mill SPAM/garbage ads.
I get home and immediately logon to my desktop, disappointed that my fresh chicken sliders will just have to wait.
Verifying Cloudflare/DNS Was Not Compromised
I login into Cloudflare, check my DNS audit log. Hmmm nothing has changed in my DNS? The CNAME record for www
has not changed.
Cloudflare account is safe. Whew
But what else could this be?
Navigating to the Public S3 Bucket
I navigate to the “naked” S3 bucket at www.testsite.com.s3-website.us-east-2.amazonaws.com
and the SPAM is identical to the actual domain at www.testsite.com
.
Killing The DNS Records
I immediately delete all A and CNAME records from DNS. The domain is once again back to the expected Origin Not Found
and the SPAM is no longer associated with my domain.
Conclusion
What Gives? How I think this Happened…
I believe that somewhere in the vast inter connected web of computers, someone had written a script to track any domains that were backed by an S3 bucket.
The script alerted the creator once I took my S3 bucket offline, allowing them to create a new S3 bucket with the (previously) globally unique bucket name of www.testsite.com.s3-website.us-east-2.amazonaws.com
.
Once they created the S3 bucket, my DNS CNAME record was already pointed at the S3 bucket URL that I previously owned. Causing the domain to return requests from the “name takeover” S3 bucket that was now owned by the attacker.
Unknowns - Google Search Console, and Cloudflare DNS vs AWS Route 53 + Cloudfront
I’m not 100% how they were able to add themselves as an owner in Google Search Console - possibly via HTML verification? My DNS TXT record was unchanged.
Additionally, would this have been possible if I was using AWS Route 53 as my DNS? Is there a safety mechanism in place? Obviously Cloudflare doesn’t have insight into the S3 bucket, to them it’s just another URL. So that was my fault for not removing the CNAME.
Let me know what you all think, I’d love to hear some expert opinions on this “hack”/take over.
Until next time,
- S.T. Teller