Flywheel Service is vulnerable to subdomain takeover issue.

[smaranchand]

Service Name

Flywheel PaaS is vulnerable to subdomain takeover issue where an attacker can claim the subdomain and takeover the entire site. I discovered this issue during Vulnerability Analysis and Penetration Testing (VAPT) for one of our clients with my team member @corrupted-brain

Proof

To point a subdomain to the flywheel application instance, an A record should point to 151.101.2.159; an error page with a message like "Oops! That's not the site you're looking for." confirms the STKO.

Fingerprint

Oops! That's not the site you're looking for.

Fingerprint2

We're sorry, you've landed on a page that is hosted by Flywheel, but isn't yet set up correctly.

Detailed Writeup:

https://smaranchand.com.np/2021/06/flywheel-subdomain-takeover/

Documentation

Flywheel monthly plan should be purchased to create a flywheel site/instance and point it to the subdomain. https://getflywheel.com/wordpress-support/how-to-point-your-domain-or-dns-to-flywheel/

[pdelteil]

I found a potential takeover using the template you created. It's the same but not pointing to a Flywheel IP but a Linode one.

You can avoid paying by creating demo site and adding the domain there.

[sumgr0]

Hey @pdelteil,

Were you able to claim the subdomain on flywheel? I've come across a similar situation of the A record for the subdomain using a Linode's IP.

Any pointers shall be really helpful.

Thanks

[pdelteil]

Hello @sumgr0,

I couldn't. @smaranchand tried to help me but with no success.

[sumgr0]

Oh okay... seems like it might work only when the subdomain is pointing to the Flywheel IPs only...

[pdelteil]

Yes, I still don't understand why they are pointing to a Linode IP address. But, I realized the certificate of the server mentions Flywheel, so, weird.

[smaranchand]

Hi everyone, Here is the confirmation. https://twitter.com/Itumeleng_Les/status/1454532272271601668