Subdomain takeover dew to missconfigured project settings for Custom domain . Secer's Blog

severity_rating: created_at: 2018-07-09 02:00:19 vendor: flock https://hackerone.com/flock bounty_amount:

While testing flock.com I got a domain flock.co what is under flock company . So I stared looking at it's subdomains and got subdomain newdev.flock.co . When I visited the subdomain in browser I got a error like below screenshot :-

This took my attention . So I checked the DNS record for this domain .

R3liGiOus_HuNt3r$ dig newdev.flock.co
; <<>> DiG 9.10.6 <<>> newdev.flock.co
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13182
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;newdev.flock.co. IN A
;; ANSWER SECTION:
newdev.flock.co. 299 IN CNAME cname.readme.io.
cname.readme.io. 299 IN CNAME readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com.
readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com. 59 IN A 52.0.214.29
readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com. 59 IN A 52.5.249.117
;; Query time: 69 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jul 09 04:58:06 +06 2018
;; MSG SIZE rcvd: 175

From above record we can say the subdomain is pointing to CNAME cname.readme.io . So I start looking at custom domain documents on readme.io website to understand how they works . From their document I understand that :-

You need a subdomain pointing to your readme.io subdomain [yoursubdomain.readme.io] .
Your subdomain should be configured in domains settings in following page https://dash.readme.io/project/<project _Name>/v1.0/domains

So to takeover I need to check if cname.readme.io is alreday claimed of not . But Unfortunately it was already claimed :( . But I have seen many such services doesn't force users to verify their ownership of domains by using same CNAME txt record like their service subdomain . So still there's a hope .
I opened a account in readme.io and I got a subdomain newdev.readme.io . Then I go to domains settings https://dash.readme.io/project/newdev/v1.0/domains and in Custom Domain Field used newdev.flock.co as value and save changes .
Now when I visited newdev.flock.co It redirected me to http://newdev.flock.co/inactive this page what saying now that Not Yet Active.

This is showing as I am using a trail account . In the webpage title you will see my project name what I used while creating the project . So now this domain is serving my contents from newdev.readme.io project page .

How to avoid such issues ? :- Always update your DNS records . remove CNAME or any other DNS records what is not in used .

If you find a security vulnerability feel free to contact them via [email protected]

You can find me on Facebook anytime .
My blog :- https://medium.com/@prial261

Thanks for reading .

Subdomain takeover dew to missconfigured project settings for Custom domain .

Hacking more