Subdomain takeover at

Finding and reporting a subdomain takeover vulnerability

Being inspired by Patrik Hudak accomplishing a subdomain takeover at I decided to scan for some abandoned DNS records. From a different project I still had a script ready to search for a target domains subdomains on and extended that to find subdomains with non-resolvable CNAME records.

The culprit

Scanning for subdomains at yielded the following non-resolvable CNAME records:	    CNAME	    CNAME	    CNAME	    CNAME	    CNAME	    CNAME	CNAME	CNAME	CNAME	CNAME	CNAME	CNAME

Vulnerability and impact

The domain was not registered at that time and could have easily been registered by any malicious actor resulting in that actor being able to

  • publish any web content under these domains
  • send (valid) e-mails with these domains as the sender
  • get certificates issued for these domains
  • potentially something about Same Origin Policy or Cross Origin Resource Sharing (I haven’t dealt with these enough to be able to assess that.)


Finding the correct way to report a security vulnerability for was less straight forward. Neither the contact page nor the imprint page on listed anything useful in this respect so I went to the website of the company operating I wasn’t able to find information about an official reporting process on there either but found contact details for their CISO to whom I sent my report.

Timeline and Bug Bounty

2019-08-30 Reported the misconfiguration.

2019-09-04 Response: the company apologized for the delayed response, confirmed the issue and promised a better reporting process.

2019-09-04 Removal of the CNAME records verified. Asked for permission to publish the incident.

2019-09-12 Response: Permission to publish the incident was given. The company has also published a page about reporting security incidents via email.

Bug Bounty: 250 €