You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I found that your website is suffering from subdomain takeover pointing to Unbounce pages but no such page is connected to the external server which is very dangerous.
Select the sub-account where you want to add your custom domain.
Open the Domains tab from the side navigation bar.
Click Add a Domain.
Select the type of custom domain, either a root domain or a sub-domain.
Enter your domain name.
Add Domain to confirm.
This unused subdomain can claim by anyone and fully take over it.
And attacker can fully takeover this subdomain and do whatever he wants. this can cause huge damage to the website's main domain as well as to the company.
Impact
This vulnerability is rated as severe due to the increased impact that can be escalated
I can escalate this issue to a more severe vulnerability where I can create an email address that act as admin or support team
for example:
Hey @aparcekarl , thanks for the report. I agree that there shouldn't be any dangling DNS records. I'll talk to the team to check if we are actively using Unbounce. If we are, then, it's not possible to claim the domain in some other account.
Looking a bit more into how Unbounce works, it seems like they require a unique id in the CNAME record to claim a domain. Assuming that we do not have an active Unbounce account anymore, wouldn't the lack of the unique code in the CNAME record still prevent hostile takeovers?
Thank you once again for reporting the issue to us.
Thanks for the great repsonse, In my past experience with this particular takeover, It works when the account using the subdomain has been deleted. In the mean time, takeover is highly possible since no more contents are hosted in the vulnerable subdomain
Hi Polymath Security Team,
I found that your website is suffering from subdomain takeover pointing to Unbounce pages but no such page is connected to the external server which is very dangerous.
https://go.polymath.network/
Steps to Takeover:
This unused subdomain can claim by anyone and fully take over it.
And attacker can fully takeover this subdomain and do whatever he wants. this can cause huge damage to the website's main domain as well as to the company.
Impact
This vulnerability is rated as severe due to the increased impact that can be escalated
I can escalate this issue to a more severe vulnerability where I can create an email address that act as admin or support team
for example:
[email protected]
[email protected]
I Recommend to remove the Cname and Dns connecting to it.
You can read about this sort of attacks here : http://labs.detectify.com/post/109964122636/hostile-subdomain-takeover-using
Please Consider my report to Support my study
Thank you,
Karl
The text was updated successfully, but these errors were encountered: