I'm a security researcher, I seek your acceptance to report a security vulnerability in your web application. Initially, I would appreciate if you can allow me to know about your company having a responsible disclosure policy, Reaching you here to report a full disclosure of a security vulnerability which allowed to take control over the subdomain due to misconfiguration.
This attack vector utilizes DNS entries pointing to Service Providers where the pointed subdomain is currently not in use. Depending on the DNS-entry configuration and which Service Provider it points to, some of these services will allow unverified users to claim these subdomains as their own.
$ host https://stake.dfohub.com/
> https://stake.dfohub.com/ is an alias for github.io
Subdomain https://stake.dfohub.com/ pointing to unclaimed CNAME Entry at github.io but the problem is that the service is inactive, thus any malicious hacker would simply sign up for the github.io service and claims the username https://stake.dfohub.com/, As his and no verification is done by the Service Provider, besides that the DNS-setup is already correctly set.
I have verified the availability of https://stake.dfohub.com/ subdomain at github.io and thus claimed it for the proof of concept purpose.
Technical details
A subdomain takeover is considered a high severity threat and boils down to the registration of a domain by somebody else (with bad intentions) in order to gain control over one or more (sub)domains. This presents an interesting attack vector, which can even lead to several high severity risks like this authentication bypass explained in a bug bounty report https://hackerone.com/reports/172137 by @ArneSwinnen.
The attack can leverage this method to steal cookies by hosting malicious javascript/spread malware/steal money by setting up the sale/steal login details of users/spear-phishing/authentication bypass/ fake dapp applications and other bad stuff.
Check your DNS-configuration for subdomains pointing to services, not in use
Set up your external service so it fully listens to your wildcard DNS.
Our advice is to keep your DNS entries constantly vetted and restricted.
Please let me know if you have any other questions. I would be more than happy to help.
I hope you will take security seriously and if you wished to consider a reward/bounty by determining the severity of the vulnerability and for responsibly disclosing the vulnerability.
Bounty/Reward:
BUIDL : 0x53db67df6befe7a4249d437557d455fd7a534a46
ETH ERC20: 0x82aCb9B3Ff79e0cb2199f4d4bDBFA4311D1388A8
alet89
commented
3 years ago
Hello folks,
I'm a security researcher, I seek your acceptance to report a security vulnerability in your web application. Initially, I would appreciate if you can allow me to know about your company having a responsible disclosure policy, Reaching you here to report a full disclosure of a security vulnerability which allowed to take control over the subdomain due to misconfiguration.
DNS misconfiguration leads to Takeover of subdomain https://stake.dfohub.com/
Background
This attack vector utilizes DNS entries pointing to Service Providers where the pointed subdomain is currently not in use. Depending on the DNS-entry configuration and which Service Provider it points to, some of these services will allow unverified users to claim these subdomains as their own.
[1] Responsible Disclosure Policy [2] Security Bug Bounty
Concept
Technical details
A subdomain takeover is considered a high severity threat and boils down to the registration of a domain by somebody else (with bad intentions) in order to gain control over one or more (sub)domains. This presents an interesting attack vector, which can even lead to several high severity risks like this authentication bypass explained in a bug bounty report https://hackerone.com/reports/172137 by @ArneSwinnen.
Previously a blog post went out about Uber's Sendgrid issues: http://blog.pentestnepal.tech/post/149985438982/reading-ubers-internal-emails-uber-bug-bounty
Also, a report from @uranium238 went out due to a similar issue with Slack: https://hackerone.com/reports/163938
Risk Breakdown
Reference: https://0xpatrik.com/subdomain-takeover/
Mitigation
Please let me know if you have any other questions. I would be more than happy to help.
I hope you will take security seriously and if you wished to consider a reward/bounty by determining the severity of the vulnerability and for responsibly disclosing the vulnerability.
Bounty/Reward:
Best Regards,
Tom Jeff
tominfosec #Discord