Subdomains pointing to vercel.com are vulnerable

[ScrubsAndStats]

Service name

Vercel

Proof

Successful subdomain takeover on a harvard.edu subdomain (screenshot).

Documentation

• Create a new repository on Github and upload an index.html
• Visit https://vercel.com/ and sign up using your Github account
• Create a new project and point it to the previously created Github repository
• Open the "Domains" tab on Vercel and add the vulnerable domain
• Boom! Exploited!

[marcelo321]

Can you share the cname regex and the fingerprint?

[ScrubsAndStats]

Can you share the cname regex and the fingerprint?

Sure

{ "service": "vercel", "cname": [ "" ], "fingerprint": [ "The deployment could not be found on Vercel." ], "nxdomain": false }

[adityathebe]

There are definitely edge cases here.

$ host -t CNAME anythingrandom.console.dev.twilio.com
anythingrandom.console.dev.twilio.com is an alias for cname.vercel-dns.com.

$ curl 'https://anythingrandom.console.dev.twilio.com/'                                                                                                     10:12:48
The deployment could not be found on Vercel.

DEPLOYMENT_NOT_FOUND

[marcelo321]

so the cname we need to grep is vercel-dns.com not vercel.com. thank you @adityathebe

[blackcodersec]

Can you share the cname regex and the fingerprint?

Sure

{ "service": "vercel", "cname": [ "" ], "fingerprint": [ "The deployment could not be found on Vercel." ], "nxdomain": false }

are you takeover any subdomain? Do you have any poc?

[raladev]

Summary for 2021: U can takeover mashed.potato.com only if potato.com is not used in the account of the victim, otherwise, u will get Already owned err.

[dark-ninja10]

This can be closed as Edge-case

[M359AH]

It still vulnerable yesterday I takeover 2 subdomains and I've upload my index

[dark-ninja10]

@M359AH u took over mashed.potato.com even when potato.com is already registered? If yes, please share how you managed to do that? Just curious :0

[M359AH]

@jan-muhammad-zaidi

Hello Muhammed

I've found the subdomain I got this error page

• After it, I go to see the CNAME

;; AUTHORITY SECTION:
vercel.app.     60  IN  SOA ns1.vercel-dns.com. hostmaster.nsone.net. 1644228969 43200 7200 1209600 60

;; Query time: 134 msec
;; SERVER:#53(.131)
;; WHEN: Mon Feb 07 12:41:00 EET 2022
;; MSG SIZE  rcvd: 119

Now I go to vercel.app and add a public repository contains my PoC index and after import the project I've add the domain and added successfully

and my PoC has been uploaded

[dark-ninja10]

How come it's not showing a domain already registered error? Like this

[M359AH]

Hello @jan-muhammad-zaidi

I think your target is not vulnerable because It should be registered without an errors like my comment above

[M359AH]

Your index should be uploaded like It:

Sorry for my bad image edit 😅 😂 😂

[dark-ninja10]

@M359AH no issues with the edit though :P

[umar98]

Any luck on how to do this?

[Fatmanpoc]

Any luck on how to do this?

got same error...any clue on this?

[M359AH]

Hello Fatma, Umar

Unfortunately, I didn't find this error before

[jareddarkweb]

me aswelll

[Faizee-Asad]

https://vercel.com/docs/concepts/projects/custom-domains

[boryspierov]

Any luck on how to do this?

same error , vercel fixed the bug no luck

[abuvanth]

no more takeover

[joren485]

Domain takeovers using Vercel are definitely still possible.

However, they are limited. In my testing, I found that a domain is not vulnerable if:

• The root domain is used by a Vercel account (i.e. the root domain points to 76.76.21.21 and is linked to a project).
• The domain/root domain is verified, even if the root domain does not point to 76.76.21.21.
• Another subdomain of the same root domain is used by a Vercel account.

In practice, this means many subdomains will not be vulnerable (but subdomains definitely can be vulnerable).

There seems to be only one way to be sure a domain is vulnerable or not: try it out.

I created a PR to update the README: #375

[badhacker0x1]

[aravindb26]

I have the same error but it can be only possible if we configure DNS to that custom domain that should be shown in the Domains category but it's not showing, how could we add DNS?

[excommunicado110]

Any success on this?

[brijesh1353]

I have the same error but it can be only possible if we configure DNS to that custom domain that should be shown in the Domains category but it's not showing, how could we add DNS?

This has happened to me too, please show me the solution

[xElkomy]

It's not possible anymore because you have to add a txt record, and that is not possible in the case of subdomain takeover.

[M359AH]

Yes I think the exploitation now will not complete

[rew1nter]

Shouldn't this be marked not vulnerable at this point?

[dark-ninja10]

It should be closed as Not Vulnerable

[Atharv34]

Edge Case.

[pdelteil]

Edge Case.

This is not the example of an edge case. Edge case would be if you managed to take over the subdomain due to uncommon or unknown conditions.

[zangcc]

Is this vulnerability no longer exploitable? Why hasn't the Status changed to Not vulnerable?