Massive Subdomains p0wned
Focus, Focus Focus, that’s is what i tell me every day, some days are good, others don't, but remember: if you fail? try harder!
The history: a short one:
Scaning subdomains for known company i found a DNS entry who was pointing to 3rd party Apps. This Apps is well known and used for a lot of companies. So, i decided to create an account and see what is going on.
My first action was trying to claim the company domain for a subdomain takeoverbut sadly with no success, the output was : Another user already claimed! so I decide to test things in the app and force it to give me any domain already claimed.. so in a few minutes: GOTCHA! i found an Oday which permit use any domain who have DNS entry pointing to that apps service.
A Lovely Slogan:
I think well how many companys use this service? I google it with a dork and i found 29800 results! WTF? At this moment my brain was totally shock
An insecure 3rpd Party service or apps is like: “Hi, i have an awesome apps, use mE! and Please, point your subdomain to a mine, i will keep you safe”(of course this last part is bullshit)
This is the slogan to the victim’s companies who use the app and pay for that services, but in the most cases they dont test the in-security of that app. That’s why every services or app need a BBP! (bug bounty program)
One DNS issue and all is Fu@$%%$· bomb!
Well, if one company/service has the control of thousand of domains (because they have the alias of the companies pointing to their service). What happens if is H4ck3d? yes.. a totally disaster..
I create this video PoC for show the potential of the attack when you hack an insecure service with thousand of active users, in this cases other companies with branded domains. [ some images ar in blur because i sended some reports with the issue and dont was fixed yet, resposible disclosure and ethics always first :) ]
I hope that you enjoy this video as i enjoyed creating it.
“Remember: one error can finish in a totally disaster!”
Happy Hacking! @ak1t4
