What’s Going On?

Subdomains are a prefix to a site address (URL) and are used by their parent (main) sites for technical or SEO-related reasons. So if a parent URL looks like www.parent.com, its subdomain could be found under www.subdomain.parent.com. Subdomains are set up for various different reasons, such as testing new features before they’re added to their parent URL or to separate between different types of content. Unfortunately, oftentimes they become vulnerable to takeover due to several reasons, like DNS and hosting misconfigurations or expired settings. Despite the benefits that come with using external host services, it often leads to subdomains becoming abandoned if they’re not removed properly by their owner. That can happen if the parent site cancels the hosting service, but doesn’t remove the subdomain mapping. It could allow anyone who finds the mapped subdomain to get access and rights to manage the subdomain’s content without permission. This is known as a subdomain takeover — a dangerous practice, often used to distribute malware, exploit user data, or used for phishing, stealing cookies, and more. Our team of cybersecurity experts discovered 3 vulnerable subdomains that used to host different CBS Local content — ESP Guide, Contest, and Privacy Offers. Through extensive research, we found out that each subdomain held different types of content. According to our research, contest.cbslocal.com was used as a placeholder for displaying information about contests held by the main site. It’s possible it was a part of the company’s marketing strategy. Meanwhile, espguide.cbslocal.com served as a CBS newsletter called “Eat. Sleep. Play.” Finally, it seems that privacy.offers.cbslocal.com used to display CBS Local Privacy Policies. This last subdomain poses the best opportunities for scams as its name seems like a genuine privacy-related website.

How Did This Happen and What Does It Mean for CBS Users?

Though the CBS Local website is visited regularly by millions of users, these subdomains seem to have been unregistered and empty for many years. The main website doesn’t link to any of them anymore, so it’s unlikely any CBS user was browsing through them. However, it doesn’t decrease the risks involved with a subdomain takeover. These vulnerabilities could still pose a great threat to unsuspecting users. The main threats that come from using hijacked subdomains include:

Do I Need to Do Anything Now?

Our cybersecurity team successfully claimed and secured all 3 vulnerable subdomains. As a proof of concept (POC), they then uploaded unharmful static content to discourage hackers from hijacking them. As soon as these vulnerabilities were discovered, we also contacted CBS Local. Once we receive a reply, we’ll be able to hand the subdomains over so they can be permanently removed. Luckily, you can still protect your personal information online and avoid having your data harvested. Refrain from entering your personal details on any site without a secured HTTPS address. Make sure the site doesn’t display any certificate errors either. Should you come across a site or its subdomain with a suspicious HTTP address, avoid clicking on any pop-up ads or prompts. They can be infected with various types of malware or viruses, ready to be installed on your device with just one click. Remember to report anything suspicious as soon as you see it, including unusual emails or shady site functions. That way you will protect not only your own data but also prevent other users from being scammed. For extra protection, install a trustworthy antivirus program and a VPN. They will add an additional layer of security to your device while protecting your online identity. You can even try many VPN providers for free for a certain period of time, completely risk-free! To learn more about how a VPN protects your online data, follow our VPN guide for beginners.

Why Should I Trust WizCase?

Translated in nearly 30 languages, WizCase is one of the leading websites concerning online freedom and internet safety. Our website helps people across the globe and gained thousands of regular readers very quickly. We regularly discover and report new data breaches and website vulnerabilities, such as multiple leaks in the medical industry and unsecured servers on a popular culinary site. Prior to publishing each report, we always contact the affected company to inform it about the existing issue. This ensures the leaks or any vulnerabilities can be secured to protect exposed data and users involved. Although we’ve contacted CBS Local multiple times to make them aware of the issue, we haven’t received a response yet. We hope that by publishing this report, we can encourage the company to secure the vulnerable subdomains themselves. Until then, our POC should prevent any hackers from trying to hijack the subdomains.