@adiffpirate I believe @manasmbellani is right with his signature in subjack.

I did a test with following test cases when I enable public dashboard to stats.masarik.sh (takeoverable cases bold):

Enabled, but don't have any checks enabled. This responds with Public Report Not Activated (fingerprint introduced in New services #159), but it's a false positive as you cannot claim the dashboard with another account. Attempt to do so results in 500: Server Error in the pingdom UI (doesn't seem they check for this on purpose, but it seems secure 🙃)
Enable, with any check enabled. This results in expected state (dashboard shows up), and nobody can takeover it as long as your account is active.
Disable account that had public dashboard enabled. This opens a space for takeover as long as target's CNAME remains pointing to stats.pingdom.com. This works regardless if the dashboard had or hadn't checks enabled before.
Change domain name of public dashboard. This opens a space for takeover as long as target's CNAME remains pointing to stats.pingdom.com.
Point CNAME to stats.pingdom.com, but don't enable it in pingdom. As expected, this opens a space for takeover too (with same response as above.

As far as I can tell, #159 is addressing the false positive case of 1, and we need to address 3, 4 and 5 instead. Or did you have a different example that would allow to takeover This public report page has not been activated by the user cases @adiffpirate?

If you want a robust mechanism that errs on the false positive side, you could check for 404 instead. Both cases return 404, and it's a bit more probable that it will continue to work even if they change wording.

Uh oh!

Pingdom.com Services Are Also Possible To Be Claimed. #144

Description

Service name

Proof

Documentation

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions