Starbucks: Subdomain takeover of

ID H1:665398
Type hackerone
Reporter parzel
Modified 2019-08-28T16:43:06


Summary: The subdomain had an CNAME record pointing to an unclaimed Azure webservice. This is a high severity security issue because an attacker can register the subdomain on Azure and therefore can own the subdomain

Description: The dangling CNAME record of is pointing to which was not claimed by you. I registered a service with this name and therefore was able to takeover the subdomain. Every attacker doing this has afterwords full control over the contents served on this subdomain.

Platform(s) Affected:

Supporting Material/References:


How can the system be exploited with this bug?

The full domain can be taken over. Arbitrary content can be served under it.

How did you come across this bug ?

I noticed the dangling CNAME record of

Recommendations for fix

1) Remove the dangling CNAME record from 2) I release 3) You can reclaim it if you want


This issue can be exploited in several ways, for example but not limited to: XSS, Phishing, Session Hijacking due to bypassing of SOP