
Ask HN: Why do cloud providers allow subdomain takeover? - masterlittle
Hi, So recently I did a successful subdomain takeover attack on a shopify domain and was appalled by the lack of response and knowledge the owner of the domain showed when I informed him. This led me thinking as to why do cloud providers let this form of attack happen? As I understand, most of them use some form of virtual hosting thus asking for alternate domain names. Why doesn&#x27;t every cloud provider make verification of domain name compulsory? Some of them do, so I&#x27;m sure this is possible.
Please help me satisfy my curiosity.
Thanks
======
QuinnyPig
It slows deployments, it needs to be retested from time to time as domains
move / expire, and on balance has the potential to cause more pain than it
solves for. It defends against an edge case (domain owner being irresponsible)
at a cost (everyone else gets slowed down). It's a judgement call, largely.

