Second authorization step when adding a custom domain to prevent subdomain/domain takeover


#1

Hi guys!
Subdomain/domain takeover is a thing nowadays. With bounty programs you can see a lot of companies getting some subdomain takeover ( https://www.google.pt/search?q=nowadays&oq=nowa&aqs=chrome.1.69i57j0l5.2519j0j7&sourceid=chrome&ie=UTF-8#q=subdomain+takeover+hackerone ).

While I was researching for a bounty program (btw you should be on one!) I was able to takeover a subdomain using your platform. I can provide in some private way this POC.
I’m not saying that this is all your fault! But you should use a more secure way to authorise a new custom domain on your platform to prevent a takeover just because someone forgot to remove a line from the DNS record!


Q: What feature / functionality are you looking for?
A: A more secure way to a domain owner authorise the use of his domain on your platform. My suggestion is to ask the owner to add TXT record that you will verify to assure that the domain owner agrees the use their domain when someone add it to your platform.


Q: What problem are you trying to solve?
A: Subdomain/domain takeover and a more secure way to a domain owner authorise the use of his domain on your platform


Q: If solved, what value would this provide (ex. increased efficiency, cost savings, etc.)?
A: Credibility, security, human error prevention!


Q: Use Case example? (ex. As a ____ I want to be able to _____ so I can _____.)
A: I can provide an example of a subdomain takeover that i was able to do while researching for a bug bounty.


Q: Is this being solved by another workaround or any other tool today?
A: Some other companies use this kind of authorization for the use of sub domains on theirs platforms.


#2

Hi Tomahock,

You are correct, this is a gap in the addition of domains to a customer account. The use of a TXT record is definitely the correct way of proving ownership (the fallback of using HTML code snippets on the main domain website also works).

We have made the Engineering team aware of the situation and the importance of fixing this gap in a short timeframe.

Signed,

Scott Brown
Head of Security @ Unbounce