Vulnerability Discovered in Substack: Scammers Can Manipulate Subdomains

Digital security is more important today than ever before. A newly discovered vulnerability in Substack’s domain management system could create new opportunities for cybercriminals. Specifically, due to improperly configured DNS records, attackers can take control of abandoned (inactive) Substack subdomains. This opens the door to spreading fake content, phishing attacks, and fraud using brand names.

According to an analysis by researcher Joren Vrancken, 1,426 vulnerable domains have been identified, accounting for 8% of all custom domains linked to Substack. Additionally, 11 wildcard domains have been found, putting entire domain infrastructures at risk. This means that attackers could exploit any subdomain, such as support.example.com or login.example.com, to carry out phishing attacks.

Substack uses Cloudflare for SaaS, and users configure CNAME records to link their blogs to custom domains. For example, the domain blog.example.com points to target.substack-custom-domains.com, and Cloudflare then routes traffic to Substack’s servers.

The vulnerability arises when a user deletes their Substack blog but does not update their DNS settings. In this case, the old CNAME record remains active, allowing attackers to hijack the domain through the following steps:

1. Pay $50 to activate the domain on Substack.
2. Add the vulnerable domain to their Substack account.
3. Host malicious content or phishing pages.

Some companies use wildcard CNAME records to manage their domains. This means that any subdomain (e.g., login.example.com) is automatically directed to Substack. If such a domain is not properly controlled, attackers could create fake pages (e.g., helpdesk.example.com), trick users, and steal their data.

Additionally, Cloudflare’s error-handling system makes these attacks easier to execute. If a domain is not properly linked to Substack, users see the following errors:

• Error 1001 – Indicates a DNS resolution problem.
• Error 1014 – Indicates a mismatch between Cloudflare and the hosting domain.

These errors make it difficult for domain owners to detect issues, but they do not prevent attackers from exploiting the vulnerability.

Although Substack is not directly responsible for managing third-party DNS records, it currently does not comply with OWASP’s Domain Takeover Prevention standards. Cloudflare for SaaS offers domain verification mechanisms via TXT records or API validation, but Substack has not yet implemented these security features.

What Substack Needs to Do

• Implement a domain ownership verification system before allowing domains to be added.
• Automatically check and remove unused domains from the system.
• Alert users when wildcard records are detected, as they pose increased risks.

Recommendations for Substack Users

• Review and update DNS records: Use tools like SecurityTrails to remove outdated CNAME records.
• Implement DNSSEC: This helps prevent unauthorized DNS record changes.
• Regularly monitor domain activity: Ensure that domains associated with Substack remain under control.
• Use separate domains for critical services: Avoid using Substack for banking or government platforms.

This case highlights how the expansion of cloud services also brings increasing security challenges. The vulnerability in Substack serves as a reminder for companies and users to maintain strict control over their domain records. According to researchers, similar issues exist in over 38 SaaS platforms, indicating a broader systemic problem with DNS management.

Ensuring security requires collaboration between technology platforms and users. Substack must strengthen its weak points, while users must properly manage and monitor their domains. Otherwise, such vulnerabilities could be widely exploited by cybercriminals.