Security Report: Subdomain Takeover of https://go.polymath.network Pointing to unbounce #884
Comments
|
Hey @aparcekarl , thanks for the report. I agree that there shouldn't be any dangling DNS records. I'll talk to the team to check if we are actively using Unbounce. If we are, then, it's not possible to claim the domain in some other account. Looking a bit more into how Unbounce works, it seems like they require a unique id in the CNAME record to claim a domain. Assuming that we do not have an active Unbounce account anymore, wouldn't the lack of the unique code in the CNAME record still prevent hostile takeovers? Thank you once again for reporting the issue to us. |
|
Thanks for the great repsonse, In my past experience with this particular takeover, It works when the account using the subdomain has been deleted. In the mean time, takeover is highly possible since no more contents are hosted in the vulnerable subdomain |
Hi Polymath Security Team,
I found that your website is suffering from subdomain takeover pointing to Unbounce pages but no such page is connected to the external server which is very dangerous.
https://go.polymath.network/
Steps to Takeover:
This unused subdomain can claim by anyone and fully take over it.
And attacker can fully takeover this subdomain and do whatever he wants. this can cause huge damage to the website's main domain as well as to the company.
Impact
This vulnerability is rated as severe due to the increased impact that can be escalated
I can escalate this issue to a more severe vulnerability where I can create an email address that act as admin or support team
for example:
admin@go.polymath.network
support@go.polymath.network
I Recommend to remove the Cname and Dns connecting to it.
You can read about this sort of attacks here : http://labs.detectify.com/post/109964122636/hostile-subdomain-takeover-using
Please Consider my report to Support my study
Thank you,
Karl
The text was updated successfully, but these errors were encountered: