If a subdomain like something.example.com is vulnerable, an attacker could use email addresses like email@example.com or firstname.lastname@example.org to prove his ownership over that subdomain and register a valid SSL certificate, said Frans Rosén, co-founder of Detectify.
The attacker could then set up an HTTPS (HTTP Secure) website on the something.example.com subdomain and trick example.com users to visit it in order to steal their authentication cookies.
Authentication cookies are unique identifiers that websites store in browsers to track authenticated users after they sign in. If stolen, for example by intercepting the traffic between a user's browser and a website, an authentication cookie can be placed into another browser to gain access to the account it corresponds to.
In order to prevent such man-in-the-middle cookie thefts, webmasters use SSL to encrypt the traffic between users' browsers and their websites and set a "Secure" flag for cookies so that they only get transmitted over HTTPS connections.
Many sites set cookies to be valid not only for their main domain, but for all subdomains under that domain. That's why after you log into your Google or Microsoft account you will be logged into all of those companies' services, even though the various services use different subdomains.
The cookie theft issue doesn't apply to racing.msn.com because msn.com is not an HTTPS website, and the log-in process is actually handled through live.com, so the cookies are tied to that domain. However, the attack could be possible on other sites that have similarly vulnerable subdomains.
In addition to cookie theft, the ability to load arbitrary code on a subdomain could also help attackers to bypass same-origin and cross-domain security restrictions for the corresponding domain.
"It's not only CNAME entries that can be vulnerable to this, other records can also be used, such as DNAME and NS," the Detectify researchers said in a blog post.
In addition to DNS resource records pointing to expired domains, Gruszecki found instances where the entries had been mistyped -- instead of www.example.com, the administrator typed wwwexample.com. In such a case, the attacker could register wwwexample.com.
"In conclusion, even though the administration of DNS records is a hassle by itself, the Resource Records need to be constantly validated and checked," the Detectify researchers said. "Not only for unused services, but for typos and/or misconfigurations."
Sign up for CIO Asia eNewsletters.