Being inspired by Patrik Hudak accomplishing a subdomain takeover at starbucks.com I decided to scan for some abandoned DNS records. From a different project I still had a script ready to search for a target domains subdomains on crt.sh and extended that to find subdomains with non-resolvable CNAME records.
Scanning for subdomains at
welt.de yielded the following non-resolvable CNAME records:
mond-1.welt.de. CNAME mond-1.w3l7.de. mond-2.welt.de. CNAME mond-2.w3l7.de. mond-3.welt.de. CNAME mond-3.w3l7.de. mond-4.welt.de. CNAME mond-4.w3l7.de. mond-5.welt.de. CNAME mond-5.w3l7.de. mond-6.welt.de. CNAME mond-6.w3l7.de. sterne-1.welt.de. CNAME sterne-1.w3l7.de. sterne-2.welt.de. CNAME sterne-2.w3l7.de. sterne-3.welt.de. CNAME sterne-3.w3l7.de. sterne-4.welt.de. CNAME sterne-4.w3l7.de. sterne-5.welt.de. CNAME sterne-5.w3l7.de. sterne-6.welt.de. CNAME sterne-6.w3l7.de.
Vulnerability and impact
w3l7.de was not registered at that time and could have easily been registered by any malicious actor resulting in that actor being able to
- publish any web content under these domains
- send (valid) e-mails with these domains as the sender
- get certificates issued for these domains
- potentially something about Same Origin Policy or Cross Origin Resource Sharing (I haven’t dealt with these enough to be able to assess that.)
Finding the correct way to report a security vulnerability for
welt.de was less straight forward. Neither the contact page nor the imprint page on
welt.de listed anything useful in this respect so I went to the website of the company operating
welt.de. I wasn’t able to find information about an official reporting process on there either but found contact details for their CISO to whom I sent my report.
Timeline and Bug Bounty
2019-08-30 Reported the misconfiguration.
2019-09-04 Response: the company apologized for the delayed response, confirmed the issue and promised a better reporting process.
2019-09-04 Removal of the CNAME records verified. Asked for permission to publish the incident.
2019-09-12 Response: Permission to publish the incident was given. The company has also published a page about reporting security incidents via email.
Bug Bounty: 250 €