😱 This is what it feels like to have vulnerabilities reported: Subdomain takeover at Syslifters. Most emails that we receive regarding vulnerabilities in our infrastructure are rather "vulnerabilities": meaning they are not actually real security risks. Last week, we received a report stating that one of our domains was vulnerable to subdomain takeover. Here's what happened: * When we started Syslifters, we registered syslifters.com with our private accounts at Porkbun. * Later, we moved it to our company's IT provider Hetzner. * For a seamless migration we added DNS records for our previous nameserver at Porkbun: ns2.syslifters.com pointing to the IP of Porkbun's nameserver. * Later, we didn't longer need it, but forgot to deprovision the record. * At some point in time, Porkbun replaced the nameserver with that IP. * The nameserver was running in AWS cloud, and they returned the IP address, so it could be assigned to other customers. * Our bug bounty hunter created a server and got that IP address assigned (probably by chance). * He placed a payload on a web server which was returned when accessing http://ns2.syslifters.com * Thus, he successfully took over our ns2.syslifters.com subdomain. He could have misused this vulnerability by: * Distributing malware using a seemingly legitimate domain name. * Trick users trusting our brand. * Attacking users of other websites hosted on syslifters.com subdomains that solely rely on SameSite=Strict as CSRF protection. Luckily, he reported the vulnerability to us, so we could react: * We removed the orphaned DNS record. * We reviewed all other DNS records. * If the bug bounty hunter had issued a TLS certificate, we would have had to revoke it (to prevent future MitM attacks on that domain name). We offered a voluntary bounty of € 200. We assume that there are some more subdomains pointing to that Porkbun IP address in the wild. Enjoyed this post? Then follow us & hit the 🔔 icon for expert insights on Pentesting, Red Teaming, and everything else security-related. ❤️
Perfect, short and prescious!
Wir holen mit euch das Maximum aus eurem Pentest. | Pentesting & Red Teaming | Mitgründerin MindBytes GmbH
3wThanks for sharing this story!