Snapchat: Takeover 2 MAIN DOMAINS of a company Acquired by Snapchat

2018-02-09T23:36:24

Description

Hi, As you may realize I noted "Domain" and not subdomain because actually, I was able to take over the MAIN domain of a company Acquired by Snapchat. As you can see in the screenshot below, when you type "Addlive" in Google ( https://goo.gl/EAxBaj ), the first two results will be: {F261984} First one is a Crunchbase link about the company; the second one is a news about Snapchat Acquiring Addlive for $30M If you visit the CrunchBase link, it will give you more information about the company; one of them is eye-catching, which is the official MAIN website: {F261985} When you visit the website, what you will get is the following: {F261991} Which apparently with a quick DNS lookup it shows that the MAIN domain is hosted on AWS S3 and no Bucket is registered with that name; means anyone can claim the Bucket and takeover the domain! After claiming the bucket, I've made it serve static content; so when you visit the MAIN domain http://www.addlive.com You will be faced with my index.html POC; {F261990} So we were able to Claim the bucket "www.addlive.com" When I tried to look for other subdomains that might be vulnerable with the same, I found that also the DOMAIN "addlive.com" (without www) is also showing the same error: {F261992} and after Claiming it as well I was able to serve my own content/POC; {F261993} ##Fix Remove the www.addlive.com so it no longer points to an S3 Bucket that you don't control. Let me know if you want to own these buckets so I can release them to you. ## Impact An attacker could serve his own malicious content/login page or whatever and harvest victims credentials especially with this being the MAIN DOMAINS that's make the impact more higher. Also from a business perspective it's a big issue for a company acquired with that amount of money to have it's main domains owned by an attacker..

{"id": "H1:314594", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Snapchat: Takeover 2 MAIN DOMAINS of a company Acquired by Snapchat", "description": "Hi,\n\nAs you may realize I noted \"Domain\" and not subdomain because actually, I was able to take over the MAIN domain of a company Acquired by Snapchat.\n\nAs you can see in the screenshot below, when you type \"Addlive\" in Google ( https://goo.gl/EAxBaj ), the first two results will be:\n\n{F261984}\n\nFirst one is a Crunchbase link about the company; the second one is a news about Snapchat Acquiring Addlive for $30M\n\nIf you visit the CrunchBase link, it will give you more information about the company; one of them is eye-catching, which is the official MAIN website:\n\n{F261985}\n\nWhen you visit the website, what you will get is the following:\n\n{F261991}\n\nWhich apparently with a quick DNS lookup it shows that the MAIN domain is hosted on AWS S3 and no Bucket is registered with that name; means anyone can claim the Bucket and takeover the domain! \n\nAfter claiming the bucket, I've made it serve static content; so when you visit the MAIN domain http://www.addlive.com\n\nYou will be faced with my index.html POC;\n\n{F261990}\n\nSo we were able to Claim the bucket \"www.addlive.com\"\n\nWhen I tried to look for other subdomains that might be vulnerable with the same, I found that also the DOMAIN \"addlive.com\" (without www) is also showing the same error:\n\n{F261992}\n\nand after Claiming it as well I was able to serve my own content/POC;\n\n{F261993}\n\n\n##Fix\nRemove the www.addlive.com so it no longer points to an S3 Bucket that you don't control. Let me know if you want to own these buckets so I can release them to you.\n\n## Impact\n\nAn attacker could serve his own malicious content/login page or whatever and harvest victims credentials especially with this being the MAIN DOMAINS that's make the impact more higher. Also from a business perspective it's a big issue for a company acquired with that amount of money to have it's main domains owned by an attacker..", "published": "2018-02-09T23:36:24", "modified": "2018-02-23T19:57:55", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/314594", "reporter": "ayoubfathi", "references": [], "cvelist": [], "lastseen": "2018-07-17T12:09:09", "viewCount": 28, "enchantments": {"score": {"value": 0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "bounty": 250.0, "bountyState": "resolved", "h1team": {"handle": "snapchat", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/000/000/513/05cbda412fc3539d8297bd6865bd59af476be2ce_medium.png?1432078031", "small": "https://profile-photos.hackerone-user-content.com/000/000/513/787aa235c91a9f2ac341e1c826c7dbbeeb118393_small.png?1432078031"}, "url": "https://hackerone.com/snapchat"}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/037/337/9feeaad172416a9ec82557dcdca97adc3fa3a53e_small.jpg?1531696480"}, "url": "/ayoubfathi", "username": "ayoubfathi"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645281466, "score": 1659788215}}