Subdomains pointing to vercel.com are vulnerable

[AliSalman-et-al]

Service name

Vercel

Proof

Successful subdomain takeover on a harvard.edu subdomain (screenshot).

Documentation

• Create a new repository on Github and upload an index.html
• Visit https://vercel.com/ and sign up using your Github account
• Create a new project and point it to the previously created Github repository
• Open the "Domains" tab on Vercel and add the vulnerable domain
• Boom! Exploited!

[marcelo321]

Can you share the cname regex and the fingerprint?

[AliSalman-et-al]

Can you share the cname regex and the fingerprint?

Sure

{ "service": "vercel", "cname": [ "" ], "fingerprint": [ "The deployment could not be found on Vercel." ], "nxdomain": false }

[adityathebe]

There are definitely edge cases here.

$ host -t CNAME anythingrandom.console.dev.twilio.com
anythingrandom.console.dev.twilio.com is an alias for cname.vercel-dns.com.

$ curl 'https://anythingrandom.console.dev.twilio.com/'                                                                                                     10:12:48
The deployment could not be found on Vercel.

DEPLOYMENT_NOT_FOUND

[marcelo321]

so the cname we need to grep is vercel-dns.com not vercel.com. thank you @adityathebe

[blackcodersec]

Can you share the cname regex and the fingerprint?

Sure

{ "service": "vercel", "cname": [ "" ], "fingerprint": [ "The deployment could not be found on Vercel." ], "nxdomain": false }

are you takeover any subdomain? Do you have any poc?

[raladev]

Summary for 2021:
U can takeover mashed.potato.com only if potato.com is not used in the account of the victim, otherwise, u will get Already owned err.

[dark-ninja10]

This can be closed as Edge-case

[M359AH]

It still vulnerable yesterday I takeover 2 subdomains and I've upload my index

[dark-ninja10]

@M359AH u took over mashed.potato.com even when potato.com is already registered? If yes, please share how you managed to do that? Just curious :0

[M359AH]

@jan-muhammad-zaidi

Hello Muhammed

I've found the subdomain I got this error page

• After it, I go to see the CNAME

;; AUTHORITY SECTION:
vercel.app.		60	IN	SOA	ns1.vercel-dns.com. hostmaster.nsone.net. 1644228969 43200 7200 1209600 60

;; Query time: 134 msec
;; SERVER:#53(.131)
;; WHEN: Mon Feb 07 12:41:00 EET 2022
;; MSG SIZE  rcvd: 119

Now I go to vercel.app and add a public repository contains my PoC index and after import the project I've add the domain and added successfully

and my PoC has been uploaded

[dark-ninja10]

How come it's not showing a domain already registered error? Like this

[M359AH]

Hello @jan-muhammad-zaidi

I think your target is not vulnerable because It should be registered without an errors like my comment above