Google and Wildcard Domains

Mon, 23 Jun 2008 09:38:59 GMT
by pdp

Basically, Google allows you to use custom domains for your Google for Applications, Blogspot, Mashup Editor and of course App Engine accounts. I think this is an excellent feature and I use it for several of my domains. Although, some of the Google applications ask you to verify the ownership of the domain you are about to use by instructing you to place a special CNAME record on your nameserver, others don't. They simply assume that if a domain points back to them it must have been authorized by the owner and this is exactly the case with Blogspot.

This is a very interesting situation and I must say it can be used for some very nasty phishing and defamation attacks, smear campaigns among other things especially today when most of the businesses move to SaaS. It is interesting, because many companies/organizations, from what I can see when doing some basic queries, are using wildcards to point back to Google. The wildcard domain instructs the nameserver to resolve any random domain to whatever details you specify. In case of Google, nameserver admins simply wildcard to ghs.google.com.

This might seam a good decision from administrative point of view but it is a horrible misconfiguration problem if you think about it. The problem is that as soon as you wildcard to Google's SaaS, you allow attacker to register subdomains under your domain. For example if we have *.acme.com pointing to ghs.google.com attacker will be able to register blog.acme.com and use that to confuse the crap out of everybody.

This is somewhat a big problem people and you better start taking into consideration the entire system (not just the individual components) more seriously.

Archived Comments

kuza55kuza55
I'm of the opinion that wildcards are simple a bad idea for security in general, and pointing them at IP addresses you don't control is just plain stupid. So have you seriously seen an administrator who thinks it's a good idea to let someone control subdomains that are under their DNS? The ghs.google.com domain doesn't seem to suffer this problem, however if you were to point the wildcard at a working domain then you are also trusting that that domain does not have xss holes.
NurBoNurBo
This isn't anything knew Ive seen tricks done to get access to a domain gmail account. Such as @whatever.com you just trick your way into verifying and now you have the a email address with somebodys domain you can do alot of things with just a bit of that. And the image is cool in my book.
jtyrrelljtyrrell
I haven't used Blogspot, but from the services I've seen, you must first tell Google the value of the CNAME before creating the record. If you enter a wildcard into that field, it tells you that *'s aren't allowed. This is so that ghs.google.com can respond to an HTTP query properly according to the Host: header that the client sends. If an unknown Host is submitted, Google simply sends back a 404 error. So you're saying this really isn't the case with Blogspot? Oversight indeed....
sirdarckcatsirdarckcat
jtyrrell is right, http://help.blogger.com/bin/answer.py?answer=55373 I Notes they say: You can use this feature with domains (e.g. mysite.com) or subdomains (e.g. name.mysite.com). However, you cannot specify subdirectories (e.g. mysite.com/blog/) or wildcards (e.g. *.mysite.com). Greetz!!
AlbertAlbert
Pdp means that if *.acme.com points to Blogspot, you can go to Blogspot and occupy blog.acme.com. The wildcard is entered in the DNS, and not at Blogspot.
jtyrrelljtyrrell
Right, but Google doesn't have to respond to that hostname. Through HTTP, they could choose to give you a 404 error, as I'm sure they do.