Hundreds of hundreds sub-secdomains hack3d! (including Hacker0ne)
The last month was something interesting, looking to takeover some subdomains at HackerOne i found one that took my attention, was info.hacker.one . The dns was pointing to unbouncespages.com a landing pages app services. Looking at the API i try to add the hackerone domain, but when i try the output was: “domain is already claimed”.
Well.. i try to find another way to bypass this, for hours looking enpoints, trying with different requests and changing some params, i could hack & bypass the filter domain, this hack gives me the power to add any domain managed by the dns of unbouncepages.com.
Well.. at this time info.hacker.one was hacked!
Looking unbouncepages servers i decide to do a Reverse Dns to 18.104.22.168 and see which others domains could be compromised with this bypass.. For my surprise hundreds of subdomains appears! some of few domains are list here:
(With some google dorks i’veen able to locate more domains under this service)
(In the complete list are domains like payoneer.com, fiverr and others important companies compromised)
Details of HackerOne Report here: https://hackerone.com/reports/202767
Thanks to HackerOne for the awesome plattform and special thanks to all tha amazing hackers who inspire me to improve every day:
- Peter Yaworsky
- Yassine aboukir
- Frans Rosen
HAPPY HACKING! by ak1t4
Whiteh4t Hack3r & Zen Monk & bounty hunter - https://twitter.com/knowledge_2014hackerone.com