Subdomain takeover with Shopify, Heroku and something more …

It’s a typical story which happens to me time to time.

Few time on the internet and boom, i found a bunch of critical bugs.
That was not a typical bugs. And that was not a typical company. It was electric skateboard company from TOP 3 in the world. That company was not happy to disclose their official name. So let’s name it — ESKATE.

I will not explain to you how to proxy you mobile phone. But i’ll recommend you for doing this time to time with apps which you used for daily business. That can help you to be safer and not trust for some companies which don’t care about security of their users. You can be surprised how many are there.

First thing which i found, was public tracking logs of all users which used official ESKATE app.

Don’t you remember last news about fitness app which tracked and disclosed tracks of all users? Also there were soldiers from many secret military bases!!! That was the same thing, but more critical. Inside of these logs it was possible to see personal sensitive data like username, email, etc.

Also not so difficult to understand where people lived ( by endings of tracking sessions )

Second finding was about logical bugs on this app. It was possible to create users without passwords. It was possible to send messages to unpublished users…

And a bit more:

  • It was possible to reset passwords for all users of this app. Because username was disclosed on tracking logs.
  • It was possible to see users pictures from public folder.
  • It was disclosed and vulnerable server version.
  • Also it was http only protocol with base64 auth header. (so easy to catch privat data on public networks)

You can start thinking that it’s pretty crazy for having all this issues in one place. I was surprised too. And i was surprised to find two domains with this picture.

I read about that before. That it’s possible to takeover subdomain. But for me it was only theory without real examples.
You can’t imagine how easy it was to takeover two subdomains of this ESKATE company.

First, I just create trial account on Shopify.
Then I just put this vulnerable subdomains on Shopify domain config.

And boom. I have two subdomains on very interesting main domain name.

If i were a bad person i could use already disclosed data from tracking logs for phishing attack. Making phishing web page on one of this vulnerable subdomain. And start making money with scam about preordering new model of electric skate from this company with insane discount !!!

When I understood how easy to takeover subdomain. I checked my favourite web page of one huge sport brand. I was in contact with them under this issue . There I found another subdomain takeover thing with Heroku service.

And it was also easy to takeover subdomain and making it as your own. I did a special POC to demonstrate a risk of this thing with that steps:

  • Registered Heroku account
  • Registered My credit card to link already configured subdoamin as mine.
  • Linked Heroku app with vulnerable subdomain.
  • Made Heroku Node.js "Hello world" with very basic steps :

$ git clone https://github.com/heroku/node-js-getting-started.git
$ cd node-js-getting-started
$ heroku login 
<fill_in_your_heroku_email>
<fill_in_your_password>

Initialize a git repository in a new or existing directory
$ cd my-project/
$ git init
$ heroku git:remote -a <APP_Name>

Commit your code to the repository and deploy it to Heroku using Git.
$ git add .
$ git commit -am “make it better”
$ git push heroku master
$ heroku open

And here is my POC

I tried to contact with ESKATE company two times. First time i wasn’t so lucky. Contact person was not so interested in my bugs. It was last month of 2017 year. In 2018 by lead of chain i found the way to takeover two subdomains, and i tried to contact with ESKATE company second time. That time i was in contact with the right person. Just found developer in LinkedIn.

We talk with him about all this bugs. And DNS CNAME was reconfigure for not making subdomain takeover. Also they turned off server with backend of their native app. And now there is no risk for their users of leaking some sensitive data.

Issue with huge sport brand on Heroku service also was fixed very quick.

I am so happy to not have “Not resolved” vulnerabilities in my mind. Wish you good luck and happy hacking.

PS: Click “Clap” icon if you like this article ;)