can-i-take-over-xyz icon indicating copy to clipboard operation
can-i-take-over-xyz copied to clipboard

Subdomain Takeover via Tumblr

Open diophant0x opened this issue 2 years ago • 11 comments

Service name

Tumblr

Fingerprint

A source domain has a DNS entry that points to Tumblr, however no active blog is associated with the domain.

DNS Record: CNAME domains.tumblr.com. HTTP Response Status: 404 Not Found HTTP Response Body: Whatever you were looking for doesn't currently exist at this address

Verification: curl -s -N http://$SOURCE_DOMAIN_NAME | grep -E -q "Whatever you were looking for doesn't currently exist at this address" && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"

Takeover Steps

Domains with CNAME to Tumblr are vulnerable to subdomain takeover.

Step-by-step process:

  1. Log in to Tumblr account (MUST validate email address)
  2. Go to Tumblr Account drop down
  3. Click Edit Appearance
  4. Click on the pencil icon next to your username
  5. Select Use a custom domain
  6. Set custom domain to source domain name
  7. Click on Test Domain (Should return It's good!)
  8. Click on Save

Some reports on H1, for Tumblr blog takeovers:

https://hackerone.com/reports/113869

https://hackerone.com/reports/221631

Documentation

Tumblr Custom Domains https://www.tumblr.com/docs/en/custom_domains

diophant0x avatar Oct 20 '21 20:10 diophant0x

thanks

domainhigh avatar Oct 21 '21 07:10 domainhigh

This is an old one.

https://github.com/projectdiscovery/nuclei-templates/blob/master/takeovers/tumblr-takeover.yaml

pdelteil avatar Oct 26 '21 19:10 pdelteil

Although this takeover opportunity was already mentioned in the README doc, documentation on the takeover steps was missing from this repository. Created this issue in tandem with the PR to update the README in #241.

diophant0x avatar Oct 26 '21 22:10 diophant0x

This takeover has changed, to use to a custom domain the dns record needs to point to domains.tumblr.com.

As seen here:

Screenshot from 2022-03-16 01-42-06

So, if the CNAME is different to domains.tumblr.com (probably old deployments) the target domain is not vulnerable.

pdelteil avatar Mar 16 '22 06:03 pdelteil

if the CNAME is different to domains.tumblr.com

i have CNAME pointing to domains.tumblr.com but still shows exactly the same error, what could be the problem?? tumblr

OVERPEY avatar Sep 05 '22 13:09 OVERPEY

devs, the same on my

https://tumblr.alexdolbun.com

the same error, what could be the problem???)))

alexdolbun avatar Sep 16 '22 19:09 alexdolbun

i understand, done. disabled proxy on cloudflare on https://tumblr.alexdolbun.com/ and this error is gone 🦄

alexdolbun avatar Sep 16 '22 19:09 alexdolbun

OVERPEY

same problem

A7BIL avatar Sep 29 '22 19:09 A7BIL

Hi @pdelteil @diophant0x,

I had originally submitted the A Record based detection for this in #9619931. As far is made clear in the most up-to-date documentation provided by Tumblr, the A Record of 66.6.44.4 is still valid, however, it may be used for apex domain names only. I think this has always been the case, and it is possible I didn't check for this when I had originally made the commit adding instructions for taking over domain names pointing to Tumblr's web infrastructure. In any case, if dealing with a domain name that has more than two levels, i.e., not only subdomains, but any non-apex domain name (e.g., evil.com.au, evil.co.in, as well as mysite.evil.net) a CNAME Record pointing to the domains.tumblr.com host is required instead.

This issue can be closed once the current information on Tumblr apex and subdomain takeover (as qualified above) has been added to the README file. I would myself make a pull request for this but I don't currently have access to a computer.

Best, Karan

qurbat avatar Dec 21 '22 15:12 qurbat

Important thing to check before proceeding with the takeover:

  • CNAME should be domains.tumblr.com (If example.com have CNAME like this domains.tumblr.com) then takeover is possible for Tumblr else not. POC

Sechunt3r avatar Jun 05 '23 21:06 Sechunt3r

This no longer appears possible as of 9 June 2023. See this reference and this reference. According to the references, custom domains must be purchased through Tumblr's own domain service.

On web, we’ve launched support for purchasing custom domains for your blogs directly through Tumblr. Existing custom domains linked to blogs will still work, but going forward, custom domains must be purchased through Tumblr. We’re still working on a domain transfer flow, more to come!

Legacy custom domains are domains registered outside of Tumblr that were connected to a Tumblr blog before we introduced Tumblr Domains. Rest assured that your legacy custom domains will remain the home address of your blog until you disable the "Use custom domain" toggle in blog settings under "Custom Theme". It’s important to note that once your legacy custom domain is disconnected, you will not be able to reconnect it to your Tumblr blog.

zzeitlin avatar Jul 31 '23 20:07 zzeitlin