Subdomain takeover was possible in some of the subdomains. The CNAME entry in the subdomain is pointing to an external page service (fanfootballsony.s3-us-west-2.amazonaws.com).
$ nslookup fan.football.sony.net 22.214.171.124
-> fan.football.sony.net is an alias for fanfootballsony.s3-us-west-2.amazonaws.com.
The bucket name must be the same as the CNAME. So fan.football.sony.net/filename would be the same as fanfootballsony.s3-us-west-2.amazonaws.com/filename if a CNAME were created to map fan.football.sony.net to fanfootballsony.s3-us-west-2.amazonaws.com.
- Fake website
- Malicious code injection
- Users tricking
- Company impersonation
Since the vulnerable subdomain is called signup
, it’s a perfect place to create a fake login/subscribe page to steal users credentials. An attacker would post links on forums or send emails and then wait for people to signup on the site he owns.
You should immediately remove the DNS-entry for this domain or point it elsewhere if you don’t use that service.