Subdomain takeover dew to missconfigured project settings for Custom domain .

Hi readers ,

Today I will write about Subdomain takeover . It’s a common Security issue what is actually developers mistake when they left a Unused/unclaimed 3rd party Service DNS CNAME record for a subdoamin of theirs and Hackers can claim those subdomains with the help of external services it pointing to what could lead to serious issues . You can learn more about Subdomain takeover from detectify blog .

While testing I got a domain what is under flock company . So I stared looking at it’s subdomains and got subdomain . When I visited the subdomain in browser I got a error like below screenshot :-

Error Page

This took my attention . So I checked the DNS record for this domain .

R3liGiOus_HuNt3r$ dig
; <<>> DiG 9.10.6 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13182
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
; EDNS: version: 0, flags:; udp: 512
; IN A
;; Query time: 69 msec
;; WHEN: Mon Jul 09 04:58:06 +06 2018
;; MSG SIZE rcvd: 175

From above record we can say the subdomain is pointing to CNAME . So I start looking at custom domain documents on website to understand how they works . From their document I understand that :-

  • You need a subdomain pointing to your subdomain [] .
  • Your subdomain should be configured in domains settings in following page<project

So to takeover I need to check if is alreday claimed of not . But Unfortunately it was already claimed :( . But I have seen many such services doesn’t force users to verify their ownership of domains by using same CNAME txt record like their service subdomain . So still there’s a hope .

I opened a account in and I got a subdomain . Then I go to domains settings and in Custom Domain Field used as value and save changes .

Now when I visited It redirected me to this page what saying now that Not Yet Active.

See page title ;)

This is showing as I am using a trail account . In the webpage title you will see my project name what I used while creating the project . So now this domain is serving my contents from project page .

How to avoid such issues ? :- Always update your DNS records . remove CNAME or any other DNS records what is not in used .

If you find a security vulnerability feel free to contact them via

Thanks for reading . You can find me on Facebook anytime :-