Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Short.io takeover #260

Closed
pdelteil opened this issue Feb 19, 2022 · 12 comments
Closed

Short.io takeover #260

pdelteil opened this issue Feb 19, 2022 · 12 comments
Labels
vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service.

Comments

@pdelteil
Copy link
Contributor

Service name

Short.io

Proof

Screenshot from 2022-02-15 15-30-57

dig target.tld

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52054
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;target.tld.		IN	A

;; ANSWER SECTION:
target.tld.	3600	IN	A	52.21.33.16
target.tld.	3600	IN	A	52.2.56.64

Documentation

https://help.short.io/en/articles/4065825-general-subdomain-setup-instruction

@EdOverflow EdOverflow added the vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service. label Feb 21, 2022
@pdelteil
Copy link
Contributor Author

I also added this template to nuclei.

@gugu
Copy link

gugu commented Dec 30, 2022

Hi!

Thanks for checking for domain takeover - we are aware of this type of attack and prevent it from happening.

I'll share our checks:

  1. If you connect a domain example.com to Short.io, noone can add example.com subdomain except you
  2. You can not delete a domain in our system if it is still marked as configured. We require to disconnect the domain first. It is annoying for our users, but we take security seriously

There can be a corner case when user points DNS records to our IP and does not add a domain, but should be a deliberate action because we display configuration instruction after the user adds a domain in our system.

Also, there can be a corner case when a user adds a domain he does not control, but it does not pose a security risk, only prevents legitimate domain owner from using our service (and this problem is solved by our support engineers).

Feel free to tell us if you don't think these measures are enough

@0xspade
Copy link

0xspade commented Mar 27, 2023

Hi!

Thanks for checking for domain takeover - we are aware of this type of attack and prevent it from happening.

I'll share our checks:

1. If you connect a domain example.com to Short.io, noone can add example.com subdomain except you

2. You can not delete a domain in our system if it is still marked as configured. We require to disconnect the domain first. It is annoying for our users, but we take security seriously

There can be a corner case when user points DNS records to our IP and does not add a domain, but should be a deliberate action because we display configuration instruction after the user adds a domain in our system.

Also, there can be a corner case when a user adds a domain he does not control, but it does not pose a security risk, only prevents legitimate domain owner from using our service (and this problem is solved by our support engineers).

Feel free to tell us if you don't think these measures are enough

confirm, not vulnerable anymore.

@gugu
Copy link

gugu commented Jun 17, 2023

Can you please update the Readme?

@gugu
Copy link

gugu commented May 1, 2024

@EdOverflow can you please update details about our website?

@pdelteil
Copy link
Contributor Author

pdelteil commented May 9, 2024

Hello there @gugu,

I can confirm this takeover is still possible.

@hlynurfrey001
Copy link

Hello there @gugu,

I can confirm this takeover is still possible.

How ??

@gugu
Copy link

gugu commented May 29, 2024

Yes, more details will be helpful addition to your answer

@pdelteil
Copy link
Contributor Author

Hello there @gugu,
I can confirm this takeover is still possible.

How ??

Adding a custom domain discovered with the template. Test it yourself.

@pdelteil
Copy link
Contributor Author

Yes, more details will be helpful addition to your answer

where can I send you a report? BBH? 🤣

@hlynurfrey001
Copy link

Yes, more details will be helpful addition to your answer

where can I send you a report? BBH? 🤣

At mail hlynurfrey@gmail.com

@hlynurfrey001
Copy link

a custom domain discovered with the template. Test it you

what do you mean ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service.
Projects
None yet
Development

No branches or pull requests

5 participants