Short.io takeover #260

pdelteil · 2022-02-19T16:47:35Z

Service name

Short.io

Proof

dig target.tld

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52054
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;target.tld.		IN	A

;; ANSWER SECTION:
target.tld.	3600	IN	A	52.21.33.16
target.tld.	3600	IN	A	52.2.56.64

Documentation

https://help.short.io/en/articles/4065825-general-subdomain-setup-instruction

The text was updated successfully, but these errors were encountered:

pdelteil · 2022-03-16T04:27:54Z

I also added this template to nuclei.

gugu · 2022-12-30T14:34:42Z

Hi!

Thanks for checking for domain takeover - we are aware of this type of attack and prevent it from happening.

I'll share our checks:

If you connect a domain example.com to Short.io, noone can add example.com subdomain except you
You can not delete a domain in our system if it is still marked as configured. We require to disconnect the domain first. It is annoying for our users, but we take security seriously

There can be a corner case when user points DNS records to our IP and does not add a domain, but should be a deliberate action because we display configuration instruction after the user adds a domain in our system.

Also, there can be a corner case when a user adds a domain he does not control, but it does not pose a security risk, only prevents legitimate domain owner from using our service (and this problem is solved by our support engineers).

Feel free to tell us if you don't think these measures are enough

0xspade · 2023-03-27T01:04:43Z

Hi!

Thanks for checking for domain takeover - we are aware of this type of attack and prevent it from happening.

I'll share our checks:
1. If you connect a domain example.com to Short.io, noone can add example.com subdomain except you

2. You can not delete a domain in our system if it is still marked as configured. We require to disconnect the domain first. It is annoying for our users, but we take security seriously
There can be a corner case when user points DNS records to our IP and does not add a domain, but should be a deliberate action because we display configuration instruction after the user adds a domain in our system.

Also, there can be a corner case when a user adds a domain he does not control, but it does not pose a security risk, only prevents legitimate domain owner from using our service (and this problem is solved by our support engineers).

Feel free to tell us if you don't think these measures are enough

confirm, not vulnerable anymore.

gugu · 2023-06-17T19:48:57Z

Can you please update the Readme?

gugu · 2024-05-01T09:34:52Z

@EdOverflow can you please update details about our website?

pdelteil · 2024-05-09T21:51:35Z

Hello there @gugu,

I can confirm this takeover is still possible.

hlynurfrey001 · 2024-05-28T17:31:48Z

Hello there @gugu,

I can confirm this takeover is still possible.

How ??

gugu · 2024-05-29T05:40:22Z

Yes, more details will be helpful addition to your answer

pdelteil · 2024-05-29T15:05:50Z

Hello there @gugu,
I can confirm this takeover is still possible.

How ??

Adding a custom domain discovered with the template. Test it yourself.

pdelteil · 2024-05-29T15:06:34Z

Yes, more details will be helpful addition to your answer

where can I send you a report? BBH? 🤣

hlynurfrey001 · 2024-05-30T06:19:18Z

Yes, more details will be helpful addition to your answer

where can I send you a report? BBH? 🤣

At mail hlynurfrey@gmail.com

hlynurfrey001 · 2024-05-30T06:19:59Z

a custom domain discovered with the template. Test it you

what do you mean ?

EdOverflow added the vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service. label Feb 21, 2022

pdelteil closed this as completed May 30, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Short.io takeover #260

Short.io takeover #260

Short.io takeover #260

Short.io takeover #260

Comments

Service name

Proof

Documentation