U.S. Dept Of Defense: Subdomain takeover ██████

The subdomain █████ was found to be pointing to open-elb-prod-277276106.us-east-1.elb-amazonaws.com., and the domain elb-amazonaws.com was available for registration. This vulnerability could have been exploited to host unwanted content, receive email, and potentially execute cross-site scripting...

U.S. Dept Of Defense: Subdomain Takeover via Host Header Injection on www.█████

The vulnerability was a subdomain takeover due to a CNAME record pointing to an unclaimed domain. This allowed malicious individuals to potentially take control of the affected subdomain and use it for malicious purposes...

SUSE CVE-2006-4252

PowerDNS Recursor 3.1.3 and earlier allows remote attackers to cause a denial of service resource exhaustion and application crash via a CNAME record with a zero TTL, which triggers an infinite loop...

Gymshark: Subdomain takeover on 'de-headless.staging.gymshark.com'

The Gymshark subdomain https://de-headless.staging.gymshark.com/ was pointing to an unclaimed Shopify site. Because of this an attacker could claim this subdomain, via Shopify, and serve their own content. This is extremely dangerous as an attacker could serve any malicious content on this domain...

CVE-2022-2220

Insufficient Granularity of Access Control in an OpenShift router causes improper subdomain ownership verification, allowing route takeover. Once a custom route is created, the user must update the DNS provider by creating a canonical name CNAME record to expose this route externally. The CNAME...

Affirm: Subdomain takeover due to non registered TLD [ ██████████.█████.██████.com ]

Summary: I was looking at recent disclosed report 1297689 and I was thinking to take a look for the same issue on this asset as I love to test for subdomain takeover vulnerabilities. While testing I noticed a DNS entry for ███████.████.██████████.com is CNAME ████.███████████ which's TLD is not...

Palo Alto Software: DNS Miconfiguration Leads to Subdomain Takeover - max1.liveplan.com

Summary The issue happens due to using EC2 public DNS instead of using Elastic IPs as CNAME record. This report is simliar to report 1069795 Misconfiguration - DNS Records json "host": "max1.liveplan.com", "resolver": "1.0.0.1:53" , "a": "54.68.121.128" , "cname":...

Sifchain: Subdomain Takeover At the Main Domain Of Your Site

Hello, I Know that isn't in the Scope But this The Only Way I can Report With And This Issue Is Very High It Belongs to the Main Domain this is pretty serious security issue in some context, so please act as fast as possible. overview the Main Domain sifchain.finance is pointing to wix.com, which...

Sunburst: connecting the dots in the DNS requests

On December 13, 2020 FireEye published important details of a newly discovered supply chain attack. An unknown attacker, referred to as UNC2452 or DarkHalo planted a backdoor in the SolarWinds Orion IT software. This backdoor, which comes in the form of a .NET module, has some really interesting...

Booking.com: Subdomain takeover of ci-support.booking.com (pointing to Zendesk)

Description Host ci-support.booking.com has a CNAME record pointing to ci-support.zendesk.com. Before I created my proof of concept see below, that Zendesk subdomain ci-support was unclaimed, as was the custom hostname ci-support.booking.com on Zendesk. As a result, an attacker could create a...

Shopify: Subdomain takeover in help.tictail.com pointing to Zendesk (a Shopify acquisition)

Hello, Description: --------------------- The subdomain at https://help.tictail.com has an unclaimed CNAME record tictail.zendesk.com . I checked the username availability in the signup process at zendesk, it was observed that the subdomain is vulnerable to a subdomain takeover which allows an...

DNSProbe - A Tool Built On Top Of Retryabledns That Allows You To Perform Multiple DNS Queries Of Your Choice With A List Of User Supplied Resolvers

DNSProbe is a tool built on top of retryabledns that allows you to perform multiple dns queries of your choice with a list of user supplied resolvers. Features Simple and Handy utility to query DNS records. Usage dnsprobe -h This will display help for the tool. Here are all the switches it...

Lyst: Subdomain takeover of storybook.lystit.com

Summary: The subdomain storybook.lystit.com had an CNAME record pointing to an unclaimed S3 bucket. This is a high severity security issue because an attacker can register the bucket on AWS and therefore can serve her own content on the subdomain. This allows for various attacks. Description: The...

Stripo Inc: subdomain takeover at status0.stripo.email

Hi , The subdomain status0.stripo.email was pointed at uptimerobot.com whereas it was not being used , but having Cname record as stats.uptimerobot.com . Hence anyone can takeover it. I have parked it with atest account on uptimerobot.com F634639 F634636 thanks Impact Anyone can use this subdomai...

Starbucks: Subdomain takeover of datacafe-cert.starbucks.com

Summary: The subdomain datacafe-cert.starbucks.com had an CNAME record pointing to an unclaimed Azure webservice. This is a high severity security issue because an attacker can register the subdomain on Azure and therefore can own the subdomain datacafe-cert.starbucks.com. Description: The dangli...

Unprivileged adding of CNAME record causing loop

Description All versions of Samba from 4.0.0 onwards are vulnerable to infinite query recursion caused by CNAME loops. Any dns record can be added via ldap by an unprivileged user using the ldbadd tool, so this is a security issue. Patch Availability Patches addressing both these issues have been...

Shopify: Subdomain Takeover Via unclaimed Heroku Instance tim-exclusive.shopify.com

Good day, I truly hope it treats you great on your side of the screen : I have found that your website tim-exclusive.shopify.com is pointed via a cname to an unclaimed Heroku Instance This was not registered on Heroku. I was able to take over the domain: See my POC Pug of Concept...

TakeOver v1 - Extracts CNAME Record Of All Subdomains At Once

What isSubdomain Takeover? Subdomain takeover is a class of vulnerability where subdomain points to an external service that has been deleted. The external services are Github, Heroku, Gitlab, Tumblr and so on. Let’s assume we have a subdomain sub.example.com that points to an external service su...

Starbucks: Subdomain takeover on wfmnarptpc.starbucks.com

Hello, this is pretty serious security issue in some context, so please act as fast as possible. Overview: One of the starbucks.com subdomains is pointing to Azure, which has unclaimed CNAME record. ANYONE is able to own starbucks.com subdomain at the moment. This vulnerability is called subdomai...

Starbucks: Subdomain takeover on svcgatewaydevus.starbucks.com and svcgatewayloadus.starbucks.com

Hello, This is fairly close to this report however these are different subdomains than the one in the report. This can be pretty serious since I can server virtually anything I want. In the 45 minutes I've held the domain I have served to 341 unique IP addresses. Two starbucks.com subdomains are...