Lucene search

K
hackeronePeroniH1:165309
HistorySep 02, 2016 - 3:25 p.m.

Shopify: Subdomain Takeover in http://genghis-cdn.shopify.io/ pointing to Fastly

2016-09-0215:25:15
peroni
hackerone.com
531

Hi,

I’ve found a Shopifu cdn domain here which had an instance of fastly setup but did not remove the dns record when the service was cancelled. a subdomain takeover similar to that of https://hackerone.com/reports/32825 could be possible.

Vulnerable URL: http://genghis-cdn.shopify.io

Page Response:

Fastly error: unknown domain: genghis-cdn.shopify.io. Please check that this domain has been added to a service.

Which indicate that this domain is point to fastly but there is no app in fastly with that name allowing anyone to claim it.
The subdomain “http://genghis-cdn.shopify.io/” is currently pointing to Fastly (shopify-e.map.fastly.net), but is not registered to a service.

$ host genghis-cdn.shopify.io
genghis-cdn.shopify.io is an alias for shopify-e.map.fastly.net.
shopify-e.map.fastly.net is an alias for prod.shopify-e.map.fastlylb.net.
prod.shopify-e.map.fastlylb.net has address 151.101.60.108

Thanks!