Starbucks: Bulgaria - Subdomain takeover of mail.starbucks.bg

2019-11-13T14:04:03
ID H1:736863
Type hackerone
Reporter nukedx
Modified 2019-12-12T21:33:20

Description

nukedx discovered that the mail.starbucks.bg domain was pointing to a mail service from icn.bg and confirmed that icn.bg did not host this domain. nukedx successfully claimed the subdomain from icn.bg, configured login credentials through the web panel and setup a valid email server. nukedx then sent a successful test from an @mail.starbucks.bg email address as a valid POC.

@nukedx — thank you for reporting this vulnerability and confirming the resolution. I was checking Rapid7's fdns dataset for my academic research about cloud services and security issues related with them, a part of research is focused on subdomain hijacking, since Starbucks had some historic reports related to it, I scanned *.starbucks.* on entire dataset, figured out mail.starbucks.bg was pointing unclaimed service from icn.bg, claimed profile and successfully hijacked subdomain with it.

Unfortunately this was only giving mail hosting capabilities so it wasn't full subdomain takeover, kudos for Starbucks team to still accepting this and rewarding it despite being not full subdomain takeover.

It's always pleasure to report Starbucks, they always handle all reports professionally. I hope in future I'll work with them again.