Hundreds of hundreds sub-secdomains hack3d! (including Hacker0ne)

The last month was something interesting, looking to takeover some subdomains at HackerOne i found one that took my attention, was info.hacker.one . The dns was pointing to unbouncespages.com a landing pages app services. Looking at the API i try to add the hackerone domain, but when i try the output was: “domain is already claimed”.

Well.. i try to find another way to bypass this, for hours looking enpoints, trying with different requests and changing some params, i could hack & bypass the filter domain, this hack gives me the power to add any domain managed by the dns of unbouncepages.com.

Well.. at this time info.hacker.one was hacked!

Looking unbouncepages servers i decide to do a Reverse Dns to 54.225.142.127 and see which others domains could be compromised with this bypass.. For my surprise hundreds of subdomains appears! some of few domains are list here:

(With some google dorks i’veen able to locate more domains under this service)

(In the complete list are domains like payoneer.com, fiverr and others important companies compromised)

The bounty:

Details of HackerOne Report here: https://hackerone.com/reports/202767

Thanks to HackerOne for the awesome plattform and special thanks to all tha amazing hackers who inspire me to improve every day:

  • Peter Yaworsky
  • Nahamsec
  • Yassine aboukir
  • Zseano
  • Frans Rosen

HAPPY HACKING! by ak1t4