A subdomain takeover vulnerability was discovered on live.lamborghini.com where an expired CloudFront distribution CNAME allowed an attacker to claim the subdomain by creating their own AWS S3 bucket and CloudFront distribution. The researcher demonstrated the attack by registering the subdomain and uploading malicious content, highlighting the risk of phishing and impersonation attacks.
A researcher discovered SQL injection in an AWS-hosted sports company's X-Forwarded-Host header by chaining host header enumeration with time-based SQLi, then bypassed character blacklisting using sqlmap's between.py tamper script to extract the entire database.
A subdomain takeover of ping.ubnt.com via unclaimed Amazon CloudFront distribution combined with shared session cookies across *.ubnt.com subdomains enabled complete authentication bypass of Ubiquity's SSO system. The vulnerability was responsibly disclosed via HackerOne.
Uber's SSO system was vulnerable to authentication bypass through a combination of subdomain takeover (dangling CloudFront CNAME on saostatic.uber.com) and session cookie theft via shared cookies across *.uber.com subdomains. An attacker could relay CSRF tokens and steal the _csid session cookie from authenticated users, then impersonate them across all Uber subdomains by injecting the stolen cookie into their own login flow.
Researcher discovered a subdomain takeover vulnerability in Bugcrowd's bugcrowdtrafficcontrol.com domain by exploiting misconfigured DNS pointing to Fastly and Pantheon services, allowing registration of the domain in his own CDN account. The vulnerability was reported to Bugcrowd and closed as N/A despite receiving a $600 bounty.