Snapchat: Takeover 2 MAIN DOMAINS of a company Acquired by Snapchat


Hi, As you may realize I noted "Domain" and not subdomain because actually, I was able to take over the MAIN domain of a company Acquired by Snapchat. As you can see in the screenshot below, when you type "Addlive" in Google ( https://goo.gl/EAxBaj ), the first two results will be: {F261984} First one is a Crunchbase link about the company; the second one is a news about Snapchat Acquiring Addlive for $30M If you visit the CrunchBase link, it will give you more information about the company; one of them is eye-catching, which is the official MAIN website: {F261985} When you visit the website, what you will get is the following: {F261991} Which apparently with a quick DNS lookup it shows that the MAIN domain is hosted on AWS S3 and no Bucket is registered with that name; means anyone can claim the Bucket and takeover the domain! After claiming the bucket, I've made it serve static content; so when you visit the MAIN domain http://www.addlive.com You will be faced with my index.html POC; {F261990} So we were able to Claim the bucket "www.addlive.com" When I tried to look for other subdomains that might be vulnerable with the same, I found that also the DOMAIN "addlive.com" (without www) is also showing the same error: {F261992} and after Claiming it as well I was able to serve my own content/POC; {F261993} ##Fix Remove the www.addlive.com so it no longer points to an S3 Bucket that you don't control. Let me know if you want to own these buckets so I can release them to you. ## Impact An attacker could serve his own malicious content/login page or whatever and harvest victims credentials especially with this being the MAIN DOMAINS that's make the impact more higher. Also from a business perspective it's a big issue for a company acquired with that amount of money to have it's main domains owned by an attacker..