todayisnew
commented
5 years ago Hello Ariel :)
I tried to submit the report Via hackerone but the program is currently on pause.
I attached it to this report: https://hackerone.com/bugs?subject=user&report_id=428197
I can restore the page for sure, is it possible to review via Hackerone?
Thanks :)
-Eric
Good day,
The program is currently taking a break, I have found a subdomain takeover that should be looked at when time allows:
Subject: Subdomain Takeover Via Unclaimed github pages for styleguide.zalora.com/
Good day, I truly hope it treats you awesomely on your side of the screen :)
I have found that your website styleguide.zalora.com is pointed via a cname to an Unclaimed github pages
This was not registered on github service.
I was able to take over the domain:
See my POC (Pug of Concept) http://styleguide.zalora.com/index.html https://hackerone.com/redirect?signature=04d382dd5f8defc0627dd61472aa5925fde2df1d&url=http%3A%2F%2Fstyleguide.zalora.com%2Findex.html
POC Video: https://www.dropbox.com/s/xxrcaek6qnmjzkp/Screenshot%202018-11-15%2014.29.40.png?dl=0 https://hackerone.com/redirect?signature=a43a4200af0d74680083e2c6a541dd136d44e609&url=https%3A%2F%2Fwww.dropbox.com%2Fs%2Fxxrcaek6qnmjzkp%2FScreenshot%25202018-11-15%252014.29.40.png%3Fdl%3D0
Options How to fix:
1) Remove the Cname record on styleguide.zalora.com/ to not point to github
2) Ask me to remove my registered styleguide.zalora.com/ on github, and you can re register yours :)
May you be well on your side of the screen :)
-Eric
Impact:
Cyber attackers can launch a phishing campaign leveraging your established (soon to be impacted) brand reputation.
The victim has no way of telling, whether the content is served by the domain owner or the cyber attacker.
Attackers can also chain higher severity attacks to this. Many applications expose session cookies to a wildcard domain (*.example.com), so any subdomain can access them. An attacker can take a forgotten subdomain, trick the user to visit it, and extract cookies (even those with secure flag). This can be seen as an advanced version of XSS.
On Wed, Nov 21, 2018 at 4:44 AM Ariel Lee notifications@github.com wrote:
Hi @todayisnew https://github.com/todayisnew, this is Yichang. I accidentally deleted our GitHub pages whose domain is styleguide.zalora.com. I am wondering if I can take this domain back?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/todayisnew/cdn-gh.firebase.github.io/issues/1, or mute the thread https://github.com/notifications/unsubscribe-auth/ADUvssC8yzaOs1kTfHMOA9j2VU8aBjZFks5uxSBggaJpZM4Ysvze .
Yichang812
Hi @todayisnew, this is Yichang. I accidentally deleted our GitHub pages whose domain is styleguide.zalora.com. I am wondering if I can take this domain back?