Subdomain takeover of vmimages.mozilla.net
Categories
(Infrastructure & Operations :: DNS and Domain Registration, task)
Tracking
(Not tracked)
People
(Reporter: leo.sta.ls, Unassigned)
Details
(Keywords: reporter-external, sec-moderate, wsec-takeover, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Hi!
I discovered that vmimages.mozilla.net was pointing to an unclaimed s3 bucket, making it vulnerable to subdomain takeover.
I've claimed the s3 bucket in my aws account and added a simple POC file:
http://vmimages.mozilla.net/takeover.html
Mitigations:
- Remove CNAME to vmimages.mozilla.net.s3-website-us-west-2.amazonaws.com.
Impact:
Subdomain takeovers can be abused for bad things such as:
- account takeovers
- phishing
- hosting malicious content
Best regards,
Leo S
|
||
Comment 1•5 years ago
|
||
Confirmed - thanks for reporting this.
|
||
Comment 2•5 years ago
•
|
||
This was marked invalid in bug 1608019. :ericz, any idea what's going on with that? Did we incorrectly mark it invalid there?
|
||
Updated•5 years ago
|
|
|
||
Comment 3•5 years ago
|
||
No that actually was invalid then and is unfortunately valid now. The s3 bucket was deleted yesterday. We will clean up the dangling DNS.
|
|
||
Comment 4•5 years ago
|
||
Ed cleaned it up. We discussed the need for DNS cleanup in the decomm process and we're working to be more proactive on catching these. Thanks!
|
|
||
Comment 5•5 years ago
|
||
Leo, how would you like to be credited for this one?
Hi! You can use my name "Leo Starcevic" for the HoF.
Thank you!
|
||
Updated•3 years ago
|
|
||
Updated•1 year ago
|
Description
•