Subdomain takeover at bmw.de

Reporting another subdomain takeover vulnerability

When I was first scanning for abandoned CNAME entries and found subdomains of welt.de which could have easily been taken over, I also found a vulnerable subdomain at bmw.de. The backstory is the same as in that other post so I won’t repeat it here.

The culprit

Scanning for subdomains at bmw.de yielded the following non-resolvable CNAME record:

icommunity.bmw.de. CNAME de.bmwi.community.

Vulnerability and impact

The domain bmwi.community was not registered at that time and could have easily been registered by any malicious actor resulting in that actor being able to

  • publish any web content under these domains
  • send (valid) e-mails with these domains as the sender
  • get certificates issued for these domains
  • potentially something about Same Origin Policy or Cross Origin Resource Sharing (I haven’t dealt with these enough to be able to assess that.)

Reporting

Reporting a security issue to BMW was pretty straight forward. While they were not publicly active on any bug bounty platform at the time of reporting, they do provide an official point of contact at https://www.bmwgroup.com/en/general/Security.html including a PGP key. Sending the encrypted report yielded a swift response informing me about the report having been forwarded to the responsible department. In the following weeks and months I was irregularly checking whether the issue had been resolved - which didn’t happen for 90 days. To put some emphasis on my report and to limit a potential malicious actors scope of action I decided to register bmwi.community and provide a PoC. I then served the string “subdomain takeover PoC - jaletzki.de” at https://icommunity.bmw.de/5670f2bd-07f8-4a29-b252-c681ee6053aa (Wayback Machine) and sent another report including a note that I would publish this article. A few days after another acknowledgement of my report the CNAME record was removed without further comment.

Timeline and Bug Bounty

2019-08-30 Reported the misconfiguration.

2019-09-03 Acknowledgement, “Your report has been forwarded to the responsible department.”

2019-12-01 Registered bmwi.community, set up PoC, sent a follow-up.

2019-12-03 Acknowledgement, “We will try to resolve the issue by the end of the year.”

2019-12-09 Removal of CNAME record confirmed.