Complete Details
api.techprep.fb.com is pointed to techprep-backend.us-east-1.elasticbeanstalk.com via CNAME records. This Elastic Beanstalk URL in the us-east-1 region of AWS appears to be removed now, and anyone having an AWS account with privileges to create Elastic Beanstalk instances in the North Virginia region can create one with techprep-backend.us-east-1.elasticbeanstalk.com as the URL. Therefore, there are dangling CNAME records at api.techprep.fb.com
Impact
As a result of dangling CNAME records, whenever techprep-backend.us-east-1.elasticbeanstalk.com (which has been removed now) is claimed by an AWS user, he/she will gain access over api.techprep.fb.com as well.
Steps
1 Perform DNS lookup on api.techprep.fb.com, and you will find out that it is pointed to techprep-backend.us-east-1.elasticbeanstalk.com through CNAME records.
2 Scan for all of the open ports, and also check whether techprep-backend.us-east-1.elasticbeanstalk.com resolves or not. You will find out that it doesn't resolve.
Reference for Step 2:
Command:
nmap -sV -O techprep-backend.us-east-1.elasticbeanstalk.com -Pn
Output:
Starting Nmap 7.91SVN ( https://nmap.org/ ) at 2020-12-20 00:08 +0545
Failed to resolve "techprep-backend.us-east-1.elasticbeanstalk.com".
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 20.34 seconds
This shows that there are dangling DNS Records at this sub-domain. Mitigation/Remediation Actions
To mitigate this issue, one simple step that can be taken would be to change or remove the CNAME records from the target sub-domain.
References
My Further Response to Facebook:
"This is a Dangling DNS Records issue. Previously, Facebook had done the following things:
1 Pointing api.techprep.fb.com to the respective Elastic Beanstalk URL; i.e. techprep-backend.us-east-1.elasticbeanstalk.com, and
2 Creating an Elastic Beanstalk instance named "techprep-backend" in the US-East-1 region!
But now, Facebook appears to have reverted the #2 point; i.e. deleting the Elastic Beanstalk instance.
Therefore, an attacker can create an Elastic Beanstalk instance in the same AWS Region with the same name, and hence claim the instance URL, and along with that, host his/her contents there, which means the same contents would appear in the FB.com's vulnerable sub-domain; i.e. api.techprep.fb.com.
To resolve this issue, Facebook needs to do one of the following:
1 Change the CNAME records of api.techprep.fb.com to the Elastic Beanstalk instance URL that they currently own,
2 Delete the CNAME records,
3 Re-claim the respective Elastic Beanstalk instance URL before anyone else does in the US-East-1 region!"
I hope this much information is enough to answer your queries, and yes, this Dangling DNS vulnerability could have been escalated to a Sub-domain Takeover vulnerability by registering a techprep-backend Elastic Beanstalk instance in the us-east-1 region in Amazon AWS.
Thanks,
Binit Ghimire