Uptimerobot.com Custom Domain Takeover

[0xAsuka]

Uptimerobot.com

There is no additional verification for add custom domain. just add cname record and pointing to stats.uptimerobot.com

https://exploit.linuxsec.org/uptimerobot-com-custom-domain-subdomain-takeover/

sorry it is indonesian language. but i add some screenshot so i think you will understand.

[bluedangerforyou]

What is the error on browser? Page not found? 404? page not found? I cannot seem to find a sample not found page.

[0xAsuka]

yes. it say "page not found"

[bluedangerforyou]

Thank you.

[marcelo321]

@linuxsec Hey, how does the cname look like? and the fingerprint only says "page not found"?

[adityathebe]

What is the impact of this takeover ?

[adityathebe]

There's nothing much we can do by setting up a "Public Status Page" in uptimerobot

[bsysop]

Take a look in the impact

• IMPACT: High 7~8.9
• BOUNTY: 100 $

😂

Just for Phishing i guess.

[adityathebe]

Just for Phishing i guess.

Not sure how we can do phishing either since we have absolute no control over the uptimerobot subdomain.

Sorry if I am not understanding correctly

[bsysop]

I mean:

• Bug hunter: This is 100% useless for a Bug Hunter, just find, takeover and report.
• BlackHat: BlackHat can takeover that domain and configure some content and try to trick someone to believe in the attacker words and perform a "Phishing attack"

Not means a bug hunter will do a phishing attack of course.

[adityathebe]

I meant to say it's not possible to perform a phishing attack even for a malicious user.

Even if a subdomain abc.example.com that is pointing to stats.uptimerobot.com is vulnerable to takeover then all an attacker can do is register abc.example.com in uptimerrobot. But that's just it. Visiting the subdomain will show the stats of some site (the attacker has the freedom to choose which site) but there's nothing much one can do beyond that.

[bsysop]

That example show everything UP, right? lets say you properly set a server DOWN just to TRICK (LIE) the company... now you have convinced some staff they have a server down, so now you have a person in panic in the other side, now you can try use that in your favour to do something you need, like click in other poisoned link, or something.

Again, its not something impactful i tried to say its only what an blackhat attacker can do, which in BugBounty it means nothing.

[sumgr0]

The service is similar to statuspage.io and may not be considered impactful.

[Joker-cyber369]

I have a message like
404 PAGE NOT FOUND
on a website how can I take over that subdomain