Is cname.bitly.com is vulnerable to Subdomain takeover?

EdOverflow / can-i-take-over-xyz

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.

Creative Commons Attribution 4.0 International

4.75k stars 705 forks source link

Is cname.bitly.com is vulnerable to Subdomain takeover? #234

Open Shoaib18 opened 3 years ago

mheranco commented 1 year ago

Bitly is probably vulnerable, if you read this: https://support.bitly.com/hc/en-us/articles/360025607351

There is no type of verification like a TXT record or something. Only the A and CNAME records, which are the same for everyone.

Problem: You need to pay for the "Basic" plan to use custom domains, which is $35/month. As you cannot host content on bitly itself, it is basically only an Open Redirect. So in my opinion not worth the hassle.

excommunicado110 commented 1 year ago

Any way to exploit bitly custom domain?

c3l3si4n commented 1 year ago

Confirmed to be vulnerable. Exploited this as of July, 2023.

excommunicado110 commented 1 year ago

Confirmed to be vulnerable. Exploited this as of July, 2023.

Could you please share the report or process to verify it?

UmerYousuf commented 1 year ago

Confirmed to be vulnerable. Exploited this as of July, 2023.

@c3l3si4n Could you please share the report or process to verify it?