Hundreds of hundreds sub-secdomains hack3d! (including Hacker0ne)

The last month was something interesting, looking to takeover some subdomains at HackerOne i found one that took my attention, was . The dns was pointing to a landing pages app services. Looking at the API i try to add the hackerone domain, but when i try the output was: “domain is already claimed”.

Well.. i try to find another way to bypass this, for hours looking enpoints, trying with different requests and changing some params, i could hack & bypass the filter domain, this hack gives me the power to add any domain managed by the dns of

Well.. at this time was hacked!

Looking unbouncepages servers i decide to do a Reverse Dns to and see which others domains could be compromised with this bypass.. For my surprise hundreds of subdomains appears! some of few domains are list here:

(With some google dorks i’veen able to locate more domains under this service)

(In the complete list are domains like, fiverr and others important companies compromised)

The bounty:

Details of HackerOne Report here:

Thanks to HackerOne for the awesome plattform and special thanks to all tha amazing hackers who inspire me to improve every day:

  • Peter Yaworsky
  • Nahamsec
  • Yassine aboukir
  • Zseano
  • Frans Rosen