How I found a vulnerability at Capital One

Two weeks ago I went to the hackathon HackNotts, and while working on the project with my team (by the way, we won 2 Amazon Echo dots each), I decided to have a look at one of the sponsors, Capital One, what they do and what jobs are available within their company.

I found out they have a subdomain named blog.capitalone.co.uk.

When I clicked on blog.capitalone.co.uk the page told me that it has not yet been mapped. DNS records showed that the subdomain had a CNAME record pointed to capitaloneukblogs.wordpress.com. To explain, the CNAME record is basically like a mirror of another website.

DNS record of the subdomain

So I registered an account on WordPress

I edited my username for privacy

Later, I paid £85 on WordPress to map the domain to my WordPress account. I had full control of the subdomain!

I reported it straight away at HackNotts. Here is a screenshot of the page:

How subdomain looked after takeover

Here is proof on Web Archive showing the same picture: https://web.archive.org/web/20161126161620/http://blog.capitalone.co.uk . Having full control meant I could have done whatever I wanted, install my own SSL certificate, pretend to be Capital One and steal credentials and much more.

After I reported it, the Capital One team asked questions as to how I did it and why it happened. I walked them through the process and told them explicitly that I have no malicious intentions, my goal is to help them etc. Immediately after, a member of their team went on the phone with their security department and higher management (that’s what I was told). After it was reported their team had promised me a number of things such as an internship, a possible bounty, and other things. I was told someone would get in touch with me between Monday to Friday. Unfortunately, no one got in touch with me….

I did make multiple attempts to contact Capital One about this issue, and they said they would respond in a specified timeframe. Unfortunately, that timeframe passed and I tried calling and sent an email to no avail. Thus, I have decided to go public in the hopes that more attention will be drawn to this issue and wider problems surrounding cybersecurity and human ethics.

I am disappointed that a company of this size has not kept its word.

More proof:

http://archive.is/N5jdn

Just to put in to context, this is how much people were getting from other companies. Similar domain takeovers and bounties paid:

https://hackerone.com/reports/32825 -$1680 paid

https://hackerone.com/reports/154425 -$3000 paid

https://hackerone.com/reports/149679 -$2,250 paid etc

I explicitly told Capital One that if they did pay me a money bounty I would NOT accept cash bounty rather a voucher or a physical item. This is due to many personal and other reasons and personal believes.

Capital One fixed this issue by the end of the hackathon.

EDIT 1(02.12 7th of November)

I would like to point out that I respect Capital One. I was greatly impressed with how quickly they fixed the vulnerability. I am very grateful with their other actions, for example them sponsoring hackathons, which in my opinion is great and helps young coders develop. This article is about me sharing my personal experience in my personal blog.

Like what you read? Give Alikhan Uzakov a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.