Domainee
Sign inGet started

Subdomain takeover

A vulnerability where a domain still points at a service that no longer owns the hostname, letting an attacker claim it. Custom-domain SaaS prevents this with re-verification.

Subdomain takeover is what happens when a DNS record points at a service that has since released the hostname. An attacker re-registers the now-available hostname on that service, and any traffic still pointing there ends up at the attacker.

The classic example

  1. Acme Inc points shop.acme.com at their Heroku app: shop.acme.com CNAME acme-shop.herokuapp.com.
  2. A year later, they cancel the Heroku app. The CNAME stays in DNS (someone forgot).
  3. Now acme-shop.herokuapp.com is available. Anyone can sign up at Heroku and grab it.
  4. Attacker signs up, claims acme-shop.herokuapp.com, and now serves content at shop.acme.com.
  5. Visitors to shop.acme.com see attacker content under Acme's brand. Reputation damage, phishing potential, cookie theft if cookies are scoped to *.acme.com.

Where the vulnerability lives

Any cloud service that lets you claim a hostname is potentially vulnerable. Historically hit: Heroku, AWS S3 buckets, GitHub Pages, Shopify, Zendesk, Pantheon, Webflow.

The pattern is always the same: a CNAME pointing at a service-owned hostname (*.servicedomain.com), the service-side claim being released without the customer-side DNS being updated, attacker re-claims.

How a custom-domain SaaS prevents it

Re-verification on every claim. When someone tries to add shop.acme.com to your SaaS, you require proof of control:

  1. Issue a per-attempt random token.
  2. Customer publishes it as a TXT record (_yourapp.shop.acme.com TXT yourapp-verify-xyz).
  3. You check the record exactly matches the token.
  4. Only then do you bind the hostname to their tenant.

Critically: when a customer removes a custom domain from their account, you either keep the binding active until the DNS actually changes (so an attacker can't re-claim immediately), or release immediately, but require fresh verification for the next claimant.

What customers should do

For users of any SaaS supporting custom domains: when you cancel a service or remove a custom domain, remove the corresponding DNS record. The 30 seconds it takes prevents a potential takeover months later.

Want this handled for you? Start free with Domainee — 50 custom domains + 100 GB bandwidth, no card.