Subdomain Takeover: The Hidden Threat to Shopify Stores

What is Subdomain Takeover?

Subdomain takeover happens when an attacker claims control of a subdomain you’ve abandoned. If you created promo.yourstore.com for a marketing campaign, pointed it to a service like Heroku, then deleted the Heroku app but forgot to remove the DNS record—an attacker can create their own Heroku app and claim your subdomain.

How It Happens

The attack follows a predictable pattern:

1. You create a subdomain pointing to a third-party service
2. You stop using the service and delete your account
3. The DNS record remains, pointing to nothing (a “dangling” record)
4. An attacker notices and creates their own account on that service
5. The service assigns them your subdomain’s traffic

Now promo.yourstore.com shows whatever the attacker wants—phishing pages, malware, or content that damages your brand.

Common Vulnerable Services

Many services are vulnerable to subdomain takeover if you forget to clean up DNS records:

• Heroku: App deleted but CNAME remains
• AWS S3: Bucket deleted but DNS points to bucket name
• GitHub Pages: Repository deleted or renamed
• Shopify Partners: Test stores deleted but subdomain remains
• Azure: Web apps removed but DNS configured
• Zendesk: Account cancelled but CNAME exists

Real Impact on Your Business

Subdomain takeover enables serious attacks:

• Phishing: Attackers host fake login pages on your subdomain
• Cookie theft: Subdomains can access cookies set for your main domain
• Brand damage: Inappropriate content appears under your brand
• SEO poisoning: Spammy content affects your domain’s search rankings
• Customer confusion: Legitimate-looking URLs that lead to scams

How to Find Vulnerable Subdomains

1. Audit your DNS records: List all subdomains and verify each points to an active service
2. Check for error pages: Subdomains showing “There isn’t a GitHub Pages site here” or similar are vulnerable
3. Review old campaigns: Marketing subdomains for finished promotions are common culprits
4. Check third-party services: Verify your accounts still exist for any subdomain pointing to external services

How to Fix Vulnerable Subdomains

For each dangling subdomain, you have two options:

1. Delete the DNS record if you no longer need the subdomain
2. Reclaim the service by recreating your account and pointing it to your subdomain

Always delete DNS records before deleting third-party service accounts to prevent the vulnerability window.

How Recon Helps

Recon protects your Shopify store from subdomain takeover by:

• Scanning all your subdomains for takeover vulnerabilities
• Identifying dangling DNS records pointing to deleted services
• Alerting you when subdomains become vulnerable
• Providing step-by-step remediation for each vulnerability

FAQ

Q: How common are subdomain takeover attacks?

A: Very common. Security researchers regularly find thousands of vulnerable subdomains across major brands. The attack requires minimal skill and can be automated.

Q: Can attackers access my main Shopify store through subdomain takeover?

A: Not directly, but they can steal session cookies and potentially access customer data. The main risk is brand damage and phishing attacks.

Q: How often should I audit my subdomains?

A: At minimum, audit after every marketing campaign ends and whenever you cancel a third-party service. Automated monitoring (like Recon provides) is the safest approach.