1479263 - Subdomain Takeover

Status: RESOLVED INVALID

(Data Platform and Tools :: General, defect)

Description

[logicbombpenetrated]

Attachment: Screen Shot 2018-07-29 at 2.34.56 PM.png

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

Steps to reproduce:

This particular sub-domain has no such s3 bucket existing. http://telemetry-dash.mozilla.org.s3-website-us-east-1.amazonaws.com/

I was able to claim the bucket and create my own page on "mozilla" domain


Actual results:

IT CAN CAUSE - Subdomain takeover. Subdomain page defacement.
PFA the POCs. Subdomain defaced for only poc purpose and removed now.

Since I have complete control over the subdomain I can do whatever I want on it. I can create a login form that would fool anyone, since it's present on a instapizza.com domain and collect all their credentials and can deploy the "mozilla" application , people thinking it's a original site , can enter their credentials, make order, make payment, enter their card  which I can easily log (which I have not done, could be unethical) .

( Though now I have removed the index.html) 


Expected results:

It should be deleted from cname, dns records.

Comment 1

[Jason Thomas [:jason]]

Hello and thanks for the report.

telemetry-dash.mozilla.org used to be a valid domain but it has been decommissioned. There is currently no DNS entry for telemetry-dash.mozilla.org. 

The DNS entry you have mentioned telemetry-dash.mozilla.org.s3-website-us-east-1.amazonaws.com is a resource managed by Amazon and is automatically generated when creating a new S3 bucket/website resource within AWS.

As far as I can tell this isn't something we can control on our end.