pdelteil
commented
2 years ago Open diophant0x opened 2 years ago
pdelteil
commented
2 years ago 
diophant0x
commented
2 years ago Although this takeover opportunity was already mentioned in the README doc, documentation on the takeover steps was missing from this repository. Created this issue in tandem with the PR to update the README in #241.
pdelteil
commented
2 years ago This takeover has changed, to use to a custom domain the dns record needs to point to domains.tumblr.com.
As seen here:
So, if the CNAME is different to domains.tumblr.com (probably old deployments) the target domain is not vulnerable.
OVERPEY
commented
1 year ago if the CNAME is different to domains.tumblr.com
i have CNAME pointing to domains.tumblr.com but still shows exactly the same error, what could be the problem??
alexdolbun
commented
1 year ago alexdolbun
commented
1 year ago i understand, done. disabled proxy on cloudflare on https://tumblr.alexdolbun.com/ and this error is gone 🦄
qurbat
commented
1 year ago Hi @pdelteil @diophant0x,
I had originally submitted the A Record based detection for this in #9619931. As far is made clear in the most up-to-date documentation provided by Tumblr, the A Record of 66.6.44.4 is still valid, however, it may be used for apex domain names only. I think this has always been the case, and it is possible I didn't check for this when I had originally made the commit adding instructions for taking over domain names pointing to Tumblr's web infrastructure. In any case, if dealing with a domain name that has more than two levels, i.e., not only subdomains, but any non-apex domain name (e.g., evil.com.au, evil.co.in, as well as mysite.evil.net) a CNAME Record pointing to the domains.tumblr.com host is required instead.
This issue can be closed once the current information on Tumblr apex and subdomain takeover (as qualified above) has been added to the README file. I would myself make a pull request for this but I don't currently have access to a computer.
Best, Karan
Sechunt3r
commented
1 year ago Important thing to check before proceeding with the takeover:
domains.tumblr.com) then takeover is possible for Tumblr else not.
zzeitlin
commented
11 months ago This no longer appears possible as of 9 June 2023. See this reference and this reference. According to the references, custom domains must be purchased through Tumblr's own domain service.
On web, we’ve launched support for purchasing custom domains for your blogs directly through Tumblr. Existing custom domains linked to blogs will still work, but going forward, custom domains must be purchased through Tumblr. We’re still working on a domain transfer flow, more to come!
Legacy custom domains are domains registered outside of Tumblr that were connected to a Tumblr blog before we introduced Tumblr Domains. Rest assured that your legacy custom domains will remain the home address of your blog until you disable the "Use custom domain" toggle in blog settings under "Custom Theme". It’s important to note that once your legacy custom domain is disconnected, you will not be able to reconnect it to your Tumblr blog.
Service name
Tumblr
Fingerprint
A source domain has a DNS entry that points to Tumblr, however no active blog is associated with the domain.
DNS Record:
CNAME domains.tumblr.com.HTTP Response Status:404 Not FoundHTTP Response Body:Whatever you were looking for doesn't currently exist at this addressVerification:
curl -s -N http://$SOURCE_DOMAIN_NAME | grep -E -q "Whatever you were looking for doesn't currently exist at this address" && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"Takeover Steps
Domains with CNAME to Tumblr are vulnerable to subdomain takeover.
Step-by-step process:
Some reports on H1, for Tumblr blog takeovers:
https://hackerone.com/reports/113869
https://hackerone.com/reports/221631
Documentation
Tumblr Custom Domains https://www.tumblr.com/docs/en/custom_domains