can-i-take-over-xyz icon indicating copy to clipboard operation
can-i-take-over-xyz copied to clipboard

Published 20 hours ago verified publisher icon EdOverflow

Uptimerobot.com Custom Domain Takeover

Open 0xAsuka opened this issue 5 years ago • 16 comments

Uptimerobot.com

There is no additional verification for add custom domain. just add cname record and pointing to stats.uptimerobot.com

https://exploit.linuxsec.org/uptimerobot-com-custom-domain-subdomain-takeover/

sorry it is indonesian language. but i add some screenshot so i think you will understand.

0xAsuka avatar Sep 24 '18 10:09 0xAsuka

What is the error on browser? Page not found? 404? page not found? I cannot seem to find a sample not found page.

bluedangerforyou avatar Nov 10 '18 02:11 bluedangerforyou

yes. it say "page not found"

0xAsuka avatar Nov 10 '18 13:11 0xAsuka

Thank you.

bluedangerforyou avatar Nov 10 '18 17:11 bluedangerforyou

@linuxsec Hey, how does the cname look like? and the fingerprint only says "page not found"?

marcelo321 avatar May 01 '20 03:05 marcelo321

What is the impact of this takeover ?

adityathebe avatar May 06 '20 16:05 adityathebe

There's nothing much we can do by setting up a "Public Status Page" in uptimerobot

adityathebe avatar May 06 '20 19:05 adityathebe

Take a look in the impact

  • IMPACT: High 7~8.9
  • BOUNTY: 100 $

:joy:

Just for Phishing i guess.

bsysop avatar May 07 '20 15:05 bsysop

Just for Phishing i guess.

Not sure how we can do phishing either since we have absolute no control over the uptimerobot subdomain.

Sorry if I am not understanding correctly

adityathebe avatar May 07 '20 15:05 adityathebe

I mean:

  • Bug hunter: This is 100% useless for a Bug Hunter, just find, takeover and report.
  • BlackHat: BlackHat can takeover that domain and configure some content and try to trick someone to believe in the attacker words and perform a "Phishing attack"

Not means a bug hunter will do a phishing attack of course.

bsysop avatar May 07 '20 15:05 bsysop

I meant to say it's not possible to perform a phishing attack even for a malicious user.

Even if a subdomain abc.example.com that is pointing to stats.uptimerobot.com is vulnerable to takeover then all an attacker can do is register abc.example.com in uptimerrobot. But that's just it. Visiting the subdomain will show the stats of some site (the attacker has the freedom to choose which site) but there's nothing much one can do beyond that.

adityathebe avatar May 07 '20 15:05 adityathebe

Captura de Tela 2020-05-07 às 12 47 29

That example show everything UP, right? lets say you properly set a server DOWN just to TRICK (LIE) the company... now you have convinced some staff they have a server down, so now you have a person in panic in the other side, now you can try use that in your favour to do something you need, like click in other poisoned link, or something.

Again, its not something impactful i tried to say its only what an blackhat attacker can do, which in BugBounty it means nothing.

bsysop avatar May 07 '20 15:05 bsysop

The service is similar to statuspage.io and may not be considered impactful.

sumgr0 avatar May 07 '20 17:05 sumgr0

I have a message like 404 PAGE NOT FOUND on a website how can I take over that subdomain

Joker-cyber369 avatar Jun 02 '21 14:06 Joker-cyber369

I got a 404 page and did not find how to take over the page.

xgt6op avatar Feb 03 '23 17:02 xgt6op

Can anyone help me that do I have to buy premium for the custom domain?

xgt6op avatar Feb 13 '23 11:02 xgt6op

Hello

this is need premium account ?? add for custom domain

Ye-Yint-Htet-T avatar May 07 '23 19:05 Ye-Yint-Htet-T