Going through the hackerone report it seems that this instance of subdomain takeover was indeed an exploitation of a vulnerability on the Unbounce services. In the same report, both parties (researcher and Unbounce security team) confirm that the Unbounce vulnerability has been fixed.
Unless there is another instance of subdomain takeover for Unbounce I'll agree with @smiegles that Unbounce's entry is a false-positive.

@edeirme , subdomain takeover with Unbounce is still possible. I confirmed this right now by creating a domain and then setting its CNAME to unbouncepages.com. This is what Unbounce asks its user to do. If you have a domain that is pointed to unbouncepages.com but does not look claimed, you can create a user account, add a PayPal or Credit Card and then add a custom domain. Once the custom domain is added and you publish a page, it should display the content in that domain.

@rojan-rijal ur totally right .. last night i reported a subdomain takover and it was using unbounce. The sec team triaged it asap ..!
😅

I think the main issue is the fact that we reference https://hackerone.com/reports/202767 in the Unbounce section which, as @smiegles pointed out, is not accurate and can no longer be exploited. We should remove that reference. Thank you for raising an issue, @smiegles.

Are you sure the takeover is still possible?
I am getting this error message when I try to "Add a New Custom Domain":

Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com.

Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com

Any idea how we can now

I don't think we can if someone has an unbounce account I can give you a link to test

@rosonsec @d55pak, Last I checked it was still possible. There might be some edge cases though for example, when I tested, I simply pointed my domain to Unbounces CNAME and see if it was vulnerable. In your case it seems like the domain was being used activity before and then removed from Unbounce. Unbounce might be blocking takeover on those types of domains but I am not sure yet. I will look into this further and update the ticket.
Cheers!

@rojan-rijal if you DM me on Twitter I can give you a previously used domain that is still pointing to a unbounce CNAME

• I have tried to takeover 10 subdomains which has following Fingerprint
  The requested URL was not found on this server.

Results of 10 subdomains are either:

Domain is already in use.
( or )
Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com.

• Looks like unbounce preventing us from takeovers which they have used their service previously.

👍

Sorry, I have been extremely busy lately and have not had a chance to update the project. We determined that there is only one rare case where one can hijack a subdomain pointing to Unbounce and that is if the team never had a project in the first place. The likelihood of this being the case is so minute that I personally do not think we should claim that it is possible to hijack subdomains pointing towards Unbounce. Thank you to everyone who participated in this discussions here; it is an absolute pleasure seeing everyone working together like this. :)

Hey there, I was reading this thread and seems pretty interesting. Which is a subdomain takeover?

A subdomain takeover is posible when the attacker can claim an unclaimed domain name through an alias or canonical name (cname) pointing to unbouncepages.com.
Some 3rd party services put filters to avoid this, like adding a random TXT record or hash or others methods to force and secure the DNS entries as unique per customer, which is NOT the case of unbouncepages.
An attacker can claim a domain not claimed over unbouncepages.com. So, We have 3 scenarios when we want takeover a subdomain over unbounce:

1. 'Domain is already in use' (which means that the domain is claimed)
2. 'Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com.' (Which means that the domain is NOT actually claimed or used but unbounce detect that the domain was used in the pass) [they put this filter as intent to avoid takeovers.]
3. Claim the domain (no errors: the domain is added to domains section correctly)

*The 3rd options is still available and works: so YES, unbouncepages is Vulnerable to Subdomain Takeover.

regards,
@ak1t4

@EdOverflow @codingo Takeover via Unbounce is still Vulnerable as @ak1t4 said there is 3 cases .. I do a takeover last week and my friend do 1 takeover from unbounce less than month ago

;)

@ak1t4 They mentioned here this is Edge Case and in the main status Not vulnerable ..
This Poc belong to the duplicate report which got duplicate after traiged and fixed :-(

That awkward moment when you realise that you have left the target's hostname in the tab bar. :P

@EdOverflow By mistake :-D

but its fixed now and didn't Pay.

hahahaahah!!!

Hi,
where I can find vulnerable domain sites because I tried for many one but not get it to perform subdomain takeover. Even search in google dork.

No bro there is an old Subdomains connected to Unbounce Services so Unbounce takeover is still exist.

Hi @Vishnugadupudi as @ak1t4 said :

We have 3 scenarios when we want takeover a subdomain over unbounce:

1. 'Domain is already in use' (which means that the domain is claimed)
2. 'Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com.' (Which means that the domain is NOT actually claimed or used but unbounce detect that the domain was used in the pass) [they put this filter as intent to avoid takeovers.]
3. Claim the domain (no errors: the domain is added to domains section correctly)

info.hacker.one is already in use and already has pages example :
https://info.hacker.one/the-data-protection-officer/
https://info.hacker.one/2018-hacker-report/

This mean case (1)
Domain is already in use' (which means that the domain is claimed)

So not possible to takeover it .

Kind Regards,
Mohamed Haron.

@m7mdharoun :)

hello.guys.
takeover is still possible???

hello.guys.
takeover is still possible???

I just tried today and it fails ....

so Unbounce not a vuln ?

It's vulnerable?

no bro

is it still working ?

Does this still work, anyone ?

Does this still work, anyone ?

no

@rojan-rijal ur totally right .. last night i reported a subdomain takover and it was using unbounce. The sec team triaged it asap ..! 😅
how you exploited i mean how takeover

I confirm that Unbounce is still vulnerable to subdomain takeovers since I successfully took over a subdomain 17 days ago (23 December 2022).

Hello , I just test 3 subdomains with 404 Error Via Unbounce . i noticed that the Subdomain With CName Record Like this

Non-authoritative answer:
Sub.Domain.com	canonical name = 1b450602efa347e0ac14sadwa8be95d.unbouncepages.com.
1b450602efa347e0ac14c4fb0a8be95d.unbouncepages.com	canonical name = unbouncepages.com.
Name:	unbouncepages.com
Address: 18.196.95.178
Name:	unbouncepages.com
Address: 54.93.101.65

Is 100% Not Vulnerable And You Can't Claim it .

But if the Cname Record Was Like this :

Non-authoritative answer:
Sub.Domain.com	canonical name = unbouncepages.com.
Name:	unbouncepages.com
Address: 18.195.98.178
Name:	unbouncepages.com
Address: 54.93.101.

it is 100% Vulnerable For Takeover And Congrats about the bounty 100

Hello, can you tell me the tool name I also have the same problem with this .Please

it is 100% Vulnerable For Takeover And Congrats about the bounty 100

which command i can use to check this ?

dig subdomain.domain.com

I confirm that Unbounce is still vulnerable to subdomain takeovers since I successfully took over a subdomain 17 days ago (23 December 2022).

how you bypass the domain error?

Hello ,
I just test 3 subdomains with 404 Error Via Unbounce .
i noticed that the Subdomain With CName Record Like this

Non-authoritative answer:
Sub.Domain.com	canonical name = 1b450602efa347e0ac14sadwa8be95d.unbouncepages.com.
1b450602efa347e0ac14c4fb0a8be95d.unbouncepages.com	canonical name = unbouncepages.com.
Name:	unbouncepages.com
Address: 18.196.95.178
Name:	unbouncepages.com
Address: 54.93.101.65

Is 100% Not Vulnerable And You Can't Claim it .
But if the Cname Record Was Like this :

Non-authoritative answer:
Sub.Domain.com	canonical name = unbouncepages.com.
Name:	unbouncepages.com
Address: 18.195.98.178
Name:	unbouncepages.com
Address: 54.93.101.

it is 100% Vulnerable For Takeover And Congrats about the bounty 100

Are you sure ?

Found a case just like you said and this is what I got

this is the same error I am facing, anybody knows if it is still possible to bypass it and take over?

I confirm that Unbounce is still vulnerable to subdomain takeovers since I successfully took over a subdomain 17 days ago (23 December 2022).

how you bypass the domain error?

There was no error, for me at least. I guess it was pure luck, I guess?

I confirm that Unbounce is still vulnerable to subdomain takeovers since I successfully took over a subdomain 17 days ago (23 December 2022).

how you bypass the domain error?

There was no error, for me at least. I guess it was pure luck, I guess?

maybe, good for you.
What about the txt record entry thing mentioned above, aren't we need to have access to the target's root domain for this?
btw I just contacted the support team and they also provide me with an entry to add as Txt record, can I add this in any domain I owned?

Hello , I just test 3 subdomains with 404 Error Via Unbounce . i noticed that the Subdomain With CName Record Like this

Non-authoritative answer:
Sub.Domain.com	canonical name = 1b450602efa347e0ac14sadwa8be95d.unbouncepages.com.
1b450602efa347e0ac14c4fb0a8be95d.unbouncepages.com	canonical name = unbouncepages.com.
Name:	unbouncepages.com
Address: 18.196.95.178
Name:	unbouncepages.com
Address: 54.93.101.65

Is 100% Not Vulnerable And You Can't Claim it .
But if the Cname Record Was Like this :

Non-authoritative answer:
Sub.Domain.com	canonical name = unbouncepages.com.
Name:	unbouncepages.com
Address: 18.195.98.178
Name:	unbouncepages.com
Address: 54.93.101.

it is 100% Vulnerable For Takeover And Congrats about the bounty 100

Hello, can you tell me the tool name I also have the same problem with this .Please

Yes you are right

Hi, is there any special indication other than cname, for example from the protocol whether SSL is available, error or not?

still vulnerable ?

still vulnerable ?

Unfortunately not possible.

It's still vulnerable but only as a rare edge case, I exploited a valid one a few days ago - see Stratus-Security/Subdominator#1 (comment)

Hello @coj337 I recently saw on Unbounce account giving an 404 Status code. Could you please help me confirm if its vulnerable for subdomain takeover with your account? I don't have funds to purchase one. Thank you very much sir.

If it is, then well share the outcome.
Am a bug bounty hunter by the way :)

I was able to add a domain but it says "Error Finding CNAME" How can i resolve this anyone?

Hello, even after when you add your domain, It is not vulnerable.
Just shift your attention to something else.

Not true.

If you manage to add a custom domain then there's a complete subdomain take over.

Not true.

If you manage to add a custom domain then there's a complete subdomain take over.

Yeah i think so, it's possible, The domain was pointing at a random ip address while using dig command and when i can subzy it was vulnerable to unbounce subdomain takeover and also when i claimed the subdomain it got claimed but after that it was asking for a cname to go live i guess. So, if anyone knows how to do that please help

Ok. No challenge.
I'll be glad to learn how you will do that.
Thanks and regards