A subdomain takeover vulnerability was discovered on live.lamborghini.com where an expired CloudFront distribution CNAME allowed an attacker to claim the subdomain by creating their own AWS S3 bucket and CloudFront distribution. The researcher demonstrated the attack by registering the subdomain and uploading malicious content, highlighting the risk of phishing and impersonation attacks.
A $2,000 bug bounty for subdomain takeover on Starbucks via an unverified Azure Traffic Manager CNAME record that pointed to a non-existent trafficmanager.net subdomain, allowing the attacker to register and control the endpoint without domain ownership verification.
A subdomain takeover vulnerability in Starbucks where svcgatewayus.starbucks.com pointed to a non-existent Azure Cloud Service resource, allowing takeover via DNS NXDOMAIN verification and custom domain registration in Azure portal. The researcher demonstrates the attack methodology specific to Azure's dedicated IP architecture versus virtual host-based services.
Researcher discovered a subdomain takeover vulnerability in Bugcrowd's bugcrowdtrafficcontrol.com domain by exploiting misconfigured DNS pointing to Fastly and Pantheon services, allowing registration of the domain in his own CDN account. The vulnerability was reported to Bugcrowd and closed as N/A despite receiving a $600 bounty.
A researcher discovered and exploited a subdomain takeover vulnerability where a subdomain (hootsuite.site.com) mapped to Netlify via CNAME record was unclaimed, allowing registration and full takeover. The researcher was rewarded $200 for the finding.
A subdomain takeover vulnerability was discovered on flock.co where the subdomain newdev.flock.co had a CNAME record pointing to readme.io's infrastructure, but the custom domain was never claimed in readme.io's project settings, allowing an attacker to register a readme.io account and claim ownership of the vulnerable subdomain.
Technical writeup demonstrating how to identify and exploit 55,000+ subdomain takeover vulnerabilities on Shopify by analyzing CNAME records pointing to Shopify's infrastructure, including two exploitation methods (application name mapping and DNS mapping) with step-by-step methodology and large-scale scanning techniques.
A researcher discovered a subdomain takeover vulnerability on Tokopedia by identifying a subdomain with a CNAME pointing to an expired domain, purchasing that domain for $8, and successfully taking over the subdomain to demonstrate XSS potential before reporting it for a high-severity bounty.
A subdomain takeover vulnerability was discovered on a Pantheon-hosted domain where an unclaimed subdomain displaying 'Unknown Site' could be claimed by registering a Pantheon account and routing a sandbox domain to the vulnerable subdomain, allowing content injection.