Subdomain takeover [Awarded $200]
The story is simple, the reward was “alright”. Let’s start. ^_^
I came across a website known as ownCloud. Their bug bounty program is located here — https://owncloud.com/owncloud-bug-bounty-program/ and their H1 program is located here https://hackerone.com/owncloud
Their bounty program looked nice and juicy and I wanted some dough ( 🤑 )
So I ran https://github.com/aboul3la/Sublist3r [pretty sure everyone is aware of this] and I came cross a domain that was displayed as
So I did a quick search on their CNAME and it points to owncloud.fider.io but somehow wasn’t reflecting back on their feedback.owncloud.com domain. CNAME check tool I used — https://toolbox.googleapps.com/apps/dig/
I then registered on https://getfider.com/ a demo account and saw that they had a custom page to set whichever domain you wanted.
I also noticed that they had an advanced page in the settings page which allows you to use CSS. I cooked up an IP grabber and a cookies grabber code via CSS to show the escalation of this.
I swiftly reported it and in 2 hours, the issue was fixed via email. I was then told to send the report on HackerOne and I got my bounty.
I thought I would have gotten $5k for their subdomain takeover, but turns out it was $200 since .ownCloud was out of scope. However, I’d deem this as a very high security risk and the payout should have been more, but what can you do — the company has “more rights” to your inputs than you yourself.
Grateful- but not satisfy.
4/20/2019 issue was reported. — 2 hours later the issue was fixed.
Via email talks 3 weeks 5/6/2019.
Paid out on 5/7/2019–$200.
Worth it? Not sure.
Thanks for reading.
If you have questions regarding this, then feel free to shoot me a DM on Twitter https://twitter.com/Skeletorkeys or, join our Discord Server https://discord.gg/B6rZDTB to talk to any of the hundreds of people for help, or just looking to talk to other Hax0rs.