When I was first scanning for abandoned CNAME entries and found subdomains of
welt.de which could have easily been taken over, I also found a vulnerable subdomain at
bmw.de. The backstory is the same as in that other post so I won’t repeat it here.
Scanning for subdomains at
bmw.de yielded the following non-resolvable CNAME record:
icommunity.bmw.de. CNAME de.bmwi.community.
Vulnerability and impact
bmwi.community was not registered at that time and could have easily been registered by any malicious actor resulting in that actor being able to
- publish any web content under these domains
- send (valid) e-mails with these domains as the sender
- get certificates issued for these domains
- potentially something about Same Origin Policy or Cross Origin Resource Sharing (I haven’t dealt with these enough to be able to assess that.)
Reporting a security issue to BMW was pretty straight forward. While they were not publicly active on any bug bounty platform at the time of reporting, they do provide an official point of contact at https://www.bmwgroup.com/en/general/Security.html including a PGP key. Sending the encrypted report yielded a swift response informing me about the report having been forwarded to the responsible department. In the following weeks and months I was irregularly checking whether the issue had been resolved - which didn’t happen for 90 days. To put some emphasis on my report and to limit a potential malicious actors scope of action I decided to register
bmwi.community and provide a PoC. I then served the string “subdomain takeover PoC - jaletzki.de” at https://icommunity.bmw.de/5670f2bd-07f8-4a29-b252-c681ee6053aa (Wayback Machine) and sent another report including a note that I would publish this article. A few days after another acknowledgement of my report the CNAME record was removed without further comment.
Timeline and Bug Bounty
2019-08-30 Reported the misconfiguration.
2019-09-03 Acknowledgement, “Your report has been forwarded to the responsible department.”
bmwi.community, set up PoC, sent a follow-up.
2019-12-03 Acknowledgement, “We will try to resolve the issue by the end of the year.”
2019-12-09 Removal of CNAME record confirmed.