TTS Bug Bounty: Subdomain Takeover

ID H1:289051
Type hackerone
Reporter picklepwns
Modified 2017-11-28T22:03:29


@picklepwns discovered a subdomain takeover attack.

Technically, the domain was out of scope for our Vulnerability Disclosure Policy. We want to remind hackers to please limit their testing to domains explicitly listed in that scope (which is repeated on our HackerOne program page for convenience). This is for your own safety: we want to be sure that everyone's on the same page about your activities being authorized.

That said, this was a legitimate vulnerability, which we fixed with other government partners.

Thanks for the find, @picklepwns - we really appreciate it! While looking for bugs in a TTS target, I stumbled on a host that seemed (loosely) related to my target that was vulnerable to a subdomain takeover via an unused Amazon S3 bucket. I ended up taking over the subdomain and reporting it to the TTS Bug Bounty team who resolved the issue.

The bug was not in scope for the 18F Vulnerability Disclosure Policy and (rightly so) not eligible for a bounty, however the team was quick, responsive, courteous and professional throughout and I highly recommend this program.