Closed Bug 1748078 Opened 4 years ago Closed 3 years ago

Subdomain Takeover at fervent-illusionist.reticulum.io

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: abiralshrestha100, Unassigned)

References

Details

(Keywords: reporter-external, wsec-takeover, Whiteboard: [reporter-external] [web-bounty-form])

Vulnerable Host

fervent-illusionist.reticulum.io

Description

The given domain fervent-illusionist.reticulum.io is vulnerable to subdomain takeover as it was being pointed to Vercel App but not claimed there. I was able to take over the domain by claiming the domain in Vercel App.

POC url:

https://fervent-illusionist.reticulum.io/234rwesdr234retgfdgsfads
https://archive.ph/07c24

Criticality

The subdomain may or may not be in use as of now. But allowing attackers to host anything on their sub-domain poses great risk to the company as :

  1. Phishing / Spear Phishing and more: An attacker could host a complete clone of the real site at the vulnerable domain, add a login form, redirect the user and steal credentials, distribute malware and more. The end-user and even the company employee might never notice it.
  2. Stored XSS: Execute JavaScript on the vulnerable domain which can be used to set cookies and steal cookies from the parent domain, perform single-user DOS
  3. Steal data from any domain allowing cross-domain interaction from fervent-illusionist.reticulum.io

Steps to reproduce:

  1. Vist the POC URL above.
  2. You will see POC provided by me.

{ Please note that I had intentionally hosted the POC at a random URL so that legitimate users do not accidentally visit my POC, an attacker could have hosted anything including javascript at webroot / }

Suggested fix

  1. If the Vercel App is no longer required, DNS record for domain fervent-illusionist.reticulum.io, pointing to Vercel App should be removed. OR
  2. I can remove the domain from my Vercel App and you can reclaim it again. However, with this method there is the risk of an attacker claiming the instance before you and performing subdomain takeover.
Flags: sec-bounty?
Status: UNCONFIRMED → NEW
Type: task → defect
Ever confirmed: true
Keywords: wsec-takeover
See Also: → 1722107
Whiteboard: [reporter-external] [web-bounty-form] [verif?] → [reporter-external] [web-bounty-form]

Hello Abiral,

Thank you so much for your report. I will follow up with the engineering teams to resolve the issue and will let you know when we are ready to reclaim the subdomain, appreciate your help.

Thanks,
Frida

Thank you for your report. Subdomain takeovers of domains like this are out of scope of the bug bounty program - please see here for more information.

This subdomain has been deleted

# host fervent-illusionist.reticulum.io
Host fervent-illusionist.reticulum.io not found: 3(NXDOMAIN)
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: sec-bounty?
Flags: sec-bounty-hof-
Flags: sec-bounty-
Resolution: --- → FIXED
Group: websites-security
You need to log in before you can comment on or make changes to this bug.