Subdomain Takover of devs.mozillaindia.org

RESOLVED FIXED

Status

Websites
Mozilla Community Sites
RESOLVED FIXED
6 months ago
5 months ago

People

(Reporter: Aditya Agrawal, Assigned: tanner)

Tracking

({sec-moderate, wsec-other})

unspecified
sec-moderate, wsec-other
Bug Flags:
sec-bounty -

Details

(Whiteboard: [reporter-external] [web-bounty-form], URL)

Attachments

(2 attachments)

(Reporter)

Description

6 months ago
Hi there,

I have found that devs.mozillaindia.org was vulnerable to subdomain takeover, so i have taken over that subdomain to prevent any malicious person to takeover.

Let me explain in detail.

1. devs.mozillaindia.org was pointing Github pages but devs.mozillaindia.org was not claimed on Github pages, that is why it was possible for anyone to takeover this subdomain.
2. I have created a private reporsitory https://github.com/exploitprotocol/devs.mozillaindia.org( if you want i can send an invite to view the content), and then claimed the subdomain.

To prove subdomain takeover you can find a file http://devs.mozillaindia.org/subdomaintakeover.html with text "Subdomain Takeover of devs.mozillaindia.org". 

Thanks
Flags: sec-bounty?
(Reporter)

Comment 1

6 months ago
Created attachment 8906813 [details]
Before Takeover of devs.mozillaindia.org
(Reporter)

Comment 2

6 months ago
Created attachment 8906814 [details]
After Takeover devs.mozillaindia.org

Comment 3

6 months ago
Thanks Aditya!

Confirmed. This is listed as a community site: https://wiki.mozilla.org/Websites/Directory#M
Status: UNCONFIRMED → NEW
Component: Other → Mozilla Community Sites
Ever confirmed: true
Whiteboard: [reporter-external] [web-bounty-form] [verif?] → [reporter-external] [web-bounty-form]

Comment 4

6 months ago
Assigning sec-high for subdomain takeover. 

Community sites are excluded from the bug bounty: https://www.mozilla.org/en-US/security/web-bug-bounty/

:yalam96 can you handle this or route it to the right people?
Assignee: nobody → yousef
Flags: needinfo?(yousef)
Keywords: sec-high, wsec-other
Tanner will take this one on
Assignee: yousef → tanner.sumo.bugs
Flags: needinfo?(yousef)
(keeping NI on myself so I remember to follow up)
Flags: needinfo?(yousef)
(Assignee)

Updated

6 months ago
Status: NEW → ASSIGNED

Comment 7

5 months ago
Dropping to sec-moderate since I was told community sites don't offer an org wide threat.

Thanks :yalam96 and :tanner, looks like this is fixed, since I'm not seeing the CNAME to mozillaindia.github.io anymore.
Keywords: sec-high → sec-moderate
(Assignee)

Comment 8

5 months ago
I've changed the DNS of the site to point to MDN. If they want to use GH Pages they'll have to get in contact with me or yousef to make appropriate changes.
Status: ASSIGNED → RESOLVED
Last Resolved: 5 months ago
Resolution: --- → FIXED

Comment 9

5 months ago
Great, thanks :tanner!
Group: websites-security
Flags: needinfo?(yousef)
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.