Subdomain Takover of devs.mozillaindia.org

RESOLVED FIXED

Status

RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: aditya, Assigned: tanner)

Tracking

({sec-moderate, wsec-other})

unspecified
sec-moderate, wsec-other
Bug Flags:
sec-bounty -

Details

(Whiteboard: [reporter-external] [web-bounty-form], URL)

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
Hi there,

I have found that devs.mozillaindia.org was vulnerable to subdomain takeover, so i have taken over that subdomain to prevent any malicious person to takeover.

Let me explain in detail.

1. devs.mozillaindia.org was pointing Github pages but devs.mozillaindia.org was not claimed on Github pages, that is why it was possible for anyone to takeover this subdomain.
2. I have created a private reporsitory https://github.com/exploitprotocol/devs.mozillaindia.org( if you want i can send an invite to view the content), and then claimed the subdomain.

To prove subdomain takeover you can find a file http://devs.mozillaindia.org/subdomaintakeover.html with text "Subdomain Takeover of devs.mozillaindia.org". 

Thanks
Flags: sec-bounty?
(Reporter)

Comment 1

2 years ago
Created attachment 8906813 [details]
Before Takeover of devs.mozillaindia.org
(Reporter)

Comment 2

2 years ago
Created attachment 8906814 [details]
After Takeover devs.mozillaindia.org
Thanks Aditya!

Confirmed. This is listed as a community site: https://wiki.mozilla.org/Websites/Directory#M
Status: UNCONFIRMED → NEW
Component: Other → Mozilla Community Sites
Ever confirmed: true
Whiteboard: [reporter-external] [web-bounty-form] [verif?] → [reporter-external] [web-bounty-form]
Assigning sec-high for subdomain takeover. 

Community sites are excluded from the bug bounty: https://www.mozilla.org/en-US/security/web-bug-bounty/

:yalam96 can you handle this or route it to the right people?
Assignee: nobody → yousef
Flags: needinfo?(yousef)
Keywords: sec-high, wsec-other
Tanner will take this one on
Assignee: yousef → tanner.sumo.bugs
Flags: needinfo?(yousef)
(keeping NI on myself so I remember to follow up)
Flags: needinfo?(yousef)
(Assignee)

Updated

2 years ago
Status: NEW → ASSIGNED
Dropping to sec-moderate since I was told community sites don't offer an org wide threat.

Thanks :yalam96 and :tanner, looks like this is fixed, since I'm not seeing the CNAME to mozillaindia.github.io anymore.
Keywords: sec-high → sec-moderate
(Assignee)

Comment 8

2 years ago
I've changed the DNS of the site to point to MDN. If they want to use GH Pages they'll have to get in contact with me or yousef to make appropriate changes.
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Great, thanks :tanner!
Group: websites-security
Flags: needinfo?(yousef)
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.