Lyst: Subdomain takeover of

ID H1:779442
Type hackerone
Reporter parzel
Modified 2020-01-22T14:38:48



The subdomain had an CNAME record pointing to an unclaimed S3 bucket. This is a high severity security issue because an attacker can register the bucket on AWS and therefore can serve her own content on the subdomain. This allows for various attacks.


The dangling CNAME record of is pointing to ███████ and the bucket which could not be found was: "". I was able to register a S3 bucket with this name in AWS. After enabling static website hosting I was able to takeover the subdomain and serve arbitrary content. I am serving a POC to proof I am controlling the subdomain as well as a simple XSS POC.


POC: view-source: Stored XSS: {F691531} {F691530}

Supporting Material/References:

Recommendations for fix

Remove the dangling CNAME record from


The domain takeover allows various attacks. As the full domain is attacker controlled it can be used to serve XSS attacks, phishing campaigns and might be used to bypass the Same Origin Policy on other domains and services.