janmasarik
commented
3 years ago @adiffpirate I believe @manasmbellani is right with his signature in subjack.
I did a test with following test cases when I enable public dashboard to stats.masarik.sh (takeoverable cases bold):
-
Enabled, but don't have any checks enabled. This responds with
Public Report Not Activated(fingerprint introduced in #159), but it's a false positive as you cannot claim the dashboard with another account. Attempt to do so results in 500: Server Error in the pingdom UI (doesn't seem they check for this on purpose, but it seems secure 🙃)
-
Enable, with any check enabled. This results in expected state (dashboard shows up), and nobody can takeover it as long as your account is active.
-
Disable account that had public dashboard enabled. This opens a space for takeover as long as target's CNAME remains pointing to stats.pingdom.com. This works regardless if the dashboard had or hadn't checks enabled before.
-
Change domain name of public dashboard. This opens a space for takeover as long as target's CNAME remains pointing to stats.pingdom.com.
-
Point CNAME to stats.pingdom.com, but don't enable it in pingdom. As expected, this opens a space for takeover too (with same response as above.
As far as I can tell, #159 is addressing the false positive case of 1, and we need to address 3, 4 and 5 instead. Or did you have a different example that would allow to takeover This public report page has not been activated by the user cases @adiffpirate?
If you want a robust mechanism that errs on the false positive side, you could check for 404 instead. Both cases return 404, and it's a bit more probable that it will continue to work even if they change wording.
adiffpirate
jleuth
Service name
Pingdom.com
Proof
https://youtu.be/VuIO1l5RL8k
Documentation
https://help.pingdom.com/hc/en-us/articles/205386171-Public-Status-Page