Comment by catlifeonmars
8 hours ago
All you need is to manipulate DNS, inject a record with a long TTL and the rest is not required.
It scales very well and I guarantee this is not the only instance of misconfigured host verification. In other words, this is not as niche as you might think.
If you're able to manipulate DNS, can't you just issue your own certificate for the domain? Even if it would be revoked moments later, mitmproxy doesnt check it even when ssl_insecure=false:
https://github.com/mitmproxy/mitmproxy/issues/2235
EDIT: Maybe I incorrectly assumed you meant authoritative DNS.
You got it, authoritative not necessary. It just needs to be your router, your ISPs resolver, or the one at your public library/coffee shop/hotel etc. I’d throw BGP route poisoning in there too, but then you have much bigger problems lol.
Like you pointed out in your original post, this would be expensive to run as a targeted attack, but it has good unit economics if you scale it up, wait, and then harvest.