Subdomain takeover on wfmnarptpc.starbucks.com
State Resolved (Closed)
Disclosed publicly 2018-08-09T21:09:10.902Z
Reported To
Weakness Privilege Escalation
Bounty $2,000
Collapse


Timeline
submitted a report to Starbucks .
2018-07-30T22:20:33.463Z

Hello,

this is pretty serious security issue in some context, so please act as fast as possible.

Overview:
One of the starbucks.com subdomains is pointing to Azure, which has unclaimed CNAME record. ANYONE is able to own starbucks.com subdomain at the moment.

This vulnerability is called subdomain takeover. You can read more about it here:

https://0xpatrik.com/subdomain-takeover-basics/

Details:
wfmnarptpc.starbucks.com has CNAME to s00149tmppcrpt.trafficmanager.net. However, s00149tmppcrpt.trafficmanager.net is not registered in Azure cloud anymore and thus can be registered by anyone. After registering the TrafficManager Profile in Azure portal, the person doing so has full control over content on wfmnarptpc.starbucks.com.

PoC:
http://wfmnarptpc.starbucks.com/poc.html

Mitigation:
Remove the CNAME record from starbucks.com DNS zone completely.
Claim it back in Azure portal after I release it
Regards,

Patrik Hudak

Impact

Subdomain takeover is abused for several purposes:

Malware distribution
Phishing / Spear phishing
XSS
Authentication bypass
...
List goes on and on. Since some certificate authorities (Let's Encrypt) require only domain verification, SSL certificate can be easily generated.

Regards,
Frans

thefrog Activities::Comment
2018-07-31T10:22:36.502Z
Hi, Thank you for your submission. We have received your report. Best regards, @thefrog Security Analyst **HackerOne**


ristretto Activities::BugTriaged
2018-07-31T22:17:44.718Z
Hi @0xpatrik , Thanks for your report. We are following up with our internal team to remove the DNS record as a fix to the issue. We will get back once we receive an update so you can release the claimed traffic manager name. Once again, Thanks for your submission! @ristretto


Activities::BountyAwarded
2018-07-31T22:17:59.335Z


ristretto Activities::BugResolved
2018-08-03T00:32:06.314Z
Hi @0xpatrik , We have confirmed that the issue has been fixed, so the report is being closed. Please let us know if you find any further issues. Thanks for your report! @ristretto


0xpatrik Activities::AgreedOnGoingPublic
2018-08-03T03:54:41.738Z


0xpatrik Activities::Comment
2018-08-07T23:11:53.357Z
Can we disclose this?


ristretto Activities::Comment
2018-08-09T18:35:20.666Z
Hi @0xpatrik, We will disclose the report, Can you please release the "s00149tmppcrpt" traffic manager account that you have claimed? Thanks! @ristretto


0xpatrik Activities::Comment
2018-08-09T18:45:12.855Z
I released that last week.


ristretto Activities::Comment
2018-08-09T21:09:02.194Z
Ok, Thanks for confirming! @ristretto


ristretto Activities::AgreedOnGoingPublic
2018-08-09T21:09:10.574Z


ristretto Activities::ReportBecamePublic
2018-08-09T21:09:10.949Z