Subdomain takeover at welt.de

Finding and reporting a subdomain takeover vulnerability

2019-09-14 vulnerability report bug bounty subdomain takeover

Being inspired by Patrik Hudak accomplishing a subdomain takeover at starbucks.com I decided to scan for some abandoned DNS records. From a different project I still had a script ready to search for a target domains subdomains on crt.sh and extended that to find subdomains with non-resolvable CNAME records.

The culprit

Scanning for subdomains at welt.de yielded the following non-resolvable CNAME records:

mond-1.welt.de.	    CNAME mond-1.w3l7.de.
mond-2.welt.de.	    CNAME mond-2.w3l7.de.
mond-3.welt.de.	    CNAME mond-3.w3l7.de.
mond-4.welt.de.	    CNAME mond-4.w3l7.de.
mond-5.welt.de.	    CNAME mond-5.w3l7.de.
mond-6.welt.de.	    CNAME mond-6.w3l7.de.
sterne-1.welt.de.	CNAME sterne-1.w3l7.de.
sterne-2.welt.de.	CNAME sterne-2.w3l7.de.
sterne-3.welt.de.	CNAME sterne-3.w3l7.de.
sterne-4.welt.de.	CNAME sterne-4.w3l7.de.
sterne-5.welt.de.	CNAME sterne-5.w3l7.de.
sterne-6.welt.de.	CNAME sterne-6.w3l7.de.

Vulnerability and impact

The domain w3l7.de was not registered at that time and could have easily been registered by any malicious actor resulting in that actor being able to

  • publish any web content under these domains
  • send (valid) e-mails with these domains as the sender
  • get certificates issued for these domains
  • potentially something about Same Origin Policy or Cross Origin Resource Sharing (I haven’t dealt with these enough to be able to assess that.)

Reporting

Finding the correct way to report a security vulnerability for welt.de was less straight forward. Neither the contact page nor the imprint page on welt.de listed anything useful in this respect so I went to the website of the company operating welt.de. I wasn’t able to find information about an official reporting process on there either but found contact details for their CISO to whom I sent my report.

Timeline and Bug Bounty

2019-08-30 Reported the misconfiguration.

2019-09-04 Response: the company apologized for the delayed response, confirmed the issue and promised a better reporting process.

2019-09-04 Removal of the CNAME records verified. Asked for permission to publish the incident.

2019-09-12 Response: Permission to publish the incident was given. The company has also published a page about reporting security incidents via email.

Bug Bounty: 250 €