Starbucks: Bulgaria - Subdomain takeover of

ID H1:736863
Type hackerone
Reporter nukedx
Modified 2019-12-12T21:33:20


nukedx discovered that the domain was pointing to a mail service from and confirmed that did not host this domain. nukedx successfully claimed the subdomain from, configured login credentials through the web panel and setup a valid email server. nukedx then sent a successful test from an email address as a valid POC.

@nukedx — thank you for reporting this vulnerability and confirming the resolution. I was checking Rapid7's fdns dataset for my academic research about cloud services and security issues related with them, a part of research is focused on subdomain hijacking, since Starbucks had some historic reports related to it, I scanned *.starbucks.* on entire dataset, figured out was pointing unclaimed service from, claimed profile and successfully hijacked subdomain with it.

Unfortunately this was only giving mail hosting capabilities so it wasn't full subdomain takeover, kudos for Starbucks team to still accepting this and rewarding it despite being not full subdomain takeover.

It's always pleasure to report Starbucks, they always handle all reports professionally. I hope in future I'll work with them again.