can-i-take-over-xyz
can-i-take-over-xyz copied to clipboard
Smartling Takeover
Service name
Smartling is a translation service.
Proof
If the vulnerable domain has a CNAME pointing to e.g. *.smartling.com - open that domain and check for the string:
"Domain is not configured"
This means it should be possible to takeover.
Documentation
Problem here is I can't actually be sure this works. A couple of subdomain takeover tools mention this service as well as this fingerprint, but I can't actually look up any report or blog post specifying this. Furthermore, to have access to smartling it seems you actually have to go through a manual register / validation process (I might be wrong).
The best reference so far is actually smartling documentation here. Reading the article, it doesn't seem any kind of ownership verification is done so, in theory, should be possible to just register a domain and complete the takeover.
If anyone can dig a bit more on this, would be awesome.
No idea how to test this, so happy if you can do the ground work.
Where's an example domain: http://cn.atlassian.sl.smartling.com/
This comes from cn.atlassian.com - there's a CNAME pointing there. However, because there A records, it never reaches the CNAME. I think. Who knows, this is unicorns stuff for me.
is this still takeover-able
paid service :(
I was able to signup, however i was unable to access the Smartling dashboard where we can perform the subdomain configurations. I am yet to explore more. If any of you guys know about this please through some light. If it is a paid service, I am ok to purchase but this should work.
paid service :(
Any more information you have on the Shubam?
@knc331 How did you signup?
Any more information on this?
anything ??
nah nothing!
Any info?
It seams that you can't create a new account.
It seams that you can't create a new account.
I've tried many times to request a demo in order to create an account but no success in the last 6 months.
I think it should be declared 'Not Vulnerable'
Completely manual process, should be Not Vulnerable. @knc331 I think all you did was signed in with Google. You won't be able to do anything with that account aside from logout.
its not vulnerable :(
Without any proof nobody cannot say it is not vulnerable as you dont know the mindset of black hat hackers,they can anything because security is a myth and if it was not vulnerable,this issue might have already declared as non-vulnerable like others but it was not and it is declared as EDGE CASE.
Lemme rephrase, Completely manual verification process.
I was able to signup, however i was unable to access the Smartling dashboard where we can perform the subdomain configurations. I am yet to explore more. If any of you guys know about this please through some light. If it is a paid service, I am ok to purchase but this should work.
How did you sign up?
is this still a non-issue? still finding smartling domains with the "Domain is not configured" text
I can't sign up in smartling? how can I do?
It's the same issue discussed above. I think it's not vulnerable ;)