Closed Bug 1427411 Opened 8 years ago Closed 8 years ago

Possible Subdomain Takeover on http://dev-status.mozilla.com via Pingdom

Categories

(Websites :: Other, enhancement)

Product:
Websites
Component:
Other
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: griffin.francis.1993, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, sec-moderate, wsec-takeover, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Hello, Based on the response of this subdomain it appears the domain is affected by a subdomain takeover issue, however I am unable to serve content from this domain as I believe I require a premium Pingdom account. This attack vector utilizes DNS-entries pointing to Service Providers where the pointed subdomain is currently not in use. Depending on the DNS-entry configuration and which Service Provider it points to, some of these services will allow unverified users to claim these subdomains as their own. Check your DNS-configuration for subdomains pointing to services not in use. Here is a link to subdomain takeovers which are related to Pingdom - http://www.theryangriffin.com/uncategorized/subdomain-takeover-of-stat-pubnub-com/ Regards, Griffin.
Flags: sec-bounty?
Griffin: good to hear from you again and thanks for the report. Looks like this points to an ELB host, but I suspect this is Pingdom's shared instance and not a single tenant setup, so I think it's plausible this could result in a takeover scenario. $ host dev-status.mozilla.com dev-status.mozilla.com is an alias for stats.pingdom.com. stats.pingdom.com is an alias for prod-public-reports-691547200.eu-west-1.elb.amazonaws.com. prod-public-reports-691547200.eu-west-1.elb.amazonaws.com has address 52.209.249.132 prod-public-reports-691547200.eu-west-1.elb.amazonaws.com has address 52.17.152.11 prod-public-reports-691547200.eu-west-1.elb.amazonaws.com has address 54.246.212.50 $ curl -i dev-status.mozilla.com HTTP/1.1 404 Not Found Cache-Control: max-age=5 Content-Type: text/html; charset=utf-8 Date: Tue, 02 Jan 2018 14:01:43 GMT Server: nginx Content-Length: 2370 Connection: keep-alive
digi: I poked around and looked for provisioning bugs for this name and couldn't find one, any idea who's responsible for this cname, which appears susceptible to a domain takeover? The fix here would be to officially claim this VHOST in Pingdom or simply remove the DNS entry. If we are not sure of an owner here, I think we're safe with nuking the entry as it's 404'ing anyways.
Flags: needinfo?(bhourigan)
(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #2) > digi: I poked around and looked for provisioning bugs for this name and > couldn't find one, any idea who's responsible for this cname, which appears > susceptible to a domain takeover? The fix here would be to officially claim > this VHOST in Pingdom or simply remove the DNS entry. If we are not sure of > an owner here, I think we're safe with nuking the entry as it's 404'ing > anyways. This was created on 2014-05-16 by rbryce (former MOC) with a comment of "Pingdom status page development", no bug number was provided in the comment. I went ahead and deleted the RR.
Flags: needinfo?(bhourigan)
:digi - many thanks!
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Thanks Jonathan and Brian for the quick response on this. Could we disclose this report as it is now resolved?
Griffin: done, thanks again for the report.
Group: websites-security
Flags: sec-bounty? → sec-bounty+

Hall of Fame for this one? - https://www.mozilla.org/en-US/security/bug-bounty/web-hall-of-fame/

Flags: needinfo?(april)

I just added it. :)

Flags: needinfo?(april)
You need to log in before you can comment on or make changes to this bug.