Subdomain takeover of blog.snapchat.com

My dog waiting for the FBI to show up

The Issue

Snapchat does not have a lot of public facing subdomains, as of right now a basic subdomain scan on pentest-tools.com shows only 13 subdomains (compared to 799 for Facebook). I figured with a high profile bounty program like Snapchat these would be tested pretty hard and decided not to bother. However, I’ve been doing some Wordpress hacking lately and blog.snapchat.com caught my eye.

There’s nothing here.

The DNS record for blog.snapchat.com shows a CNAME record and some logic pointing to snapchat-blog.com, which resolved to the below page.

Tumblr 404 page

I have limited experience with Tumblr but I assumed this was an unclaimed blog page. My first guess was that in the background they were pointing to some website like snapchat.tumblr.com, but that blog was already taken, so this was wrong.

After some digging I found out Tumblr has the same custom domain setup as many other websites:

  • Point your DNS to their IP through an ANAME record
  • Let the website deal with the CNAME stuff.

I was able to verify this by nslookup, seeing that snapchat-blog.com pointed to 66.6.32.21, an IP owned by Tumblr for custom domain routing.

# nslookup snapchat-blog.comNon-authoritative answer:
Name: snapchat-blog.com
Address: 66.6.32.21

Viewing Google’s cached copy of this page shows this domain was properly claimed the day before (9/24). Snapchat must have accidentally removed the custom domain claim from their Tumblr account in the last 24 hours, probably in preparation for switching to snap.com/news for their recent re-branding.

After I figured out how Tumblr handled CNAMEs it was as easy as going to my account settings and claiming the domain name.

Tumblr custom domain settings

My First Tumblr

Visiting blog.snapchat.com (which redirects to snapchat-blog.com) then showed the following

Snapchat blog page

I decided to put my name on this subdomain for a valid PoC, so they knew threat actor activity was not the cause, and to aid Snapchat in fixing the vulnerability if they did not see the Hackerone report first. This ultimately led to me not receiving a bounty, since I did not handle this in a quieter matter. That was not my initial intention, but I can understand their position.

Resolution Timeline

9/25/16

  • 3:08 PM CDT: Issue reported to Snapchat on Hackerone
  • 7:18 PM CDT: Snapchat confirms the vulnerability and asks me to redirect to the real blog for a temporary fix. They also redirected blog.snapchat.com to snap.com/news for a stronger fix.
  • 8:33 PM CDT: Email contact begins to help transfer the snapchat-blog.com Tumblr ownership

9/26/16

  • 9:59 AM CDT: Tumblr ownership is transfered to Snapchat

10/4/16

  • 9:37 PM CDT: Report is closed

10/5/16

  • 1:41 PM CDT: Request for public disclosure approved

Thank you to Snapchat for the quick response time and for running such a great bug bounty program. If you are interested in their program please visit https://hackerone.com/snapchat.

Hacker Noon is how hackers start their afternoons. We’re a part of the @AMI family. We are now accepting submissions and happy to discuss advertising & sponsorship opportunities.

If you enjoyed this story, we recommend reading our latest tech stories and trending tech stories. Until next time, don’t take the realities of the world for granted!

HackerNoon.com

#BlackLivesMatter

By HackerNoon.com

how hackers start their afternoons. the real shit is on hackernoon.com. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

HackerNoon.com

Elijah McClain, George Floyd, Eric Garner, Breonna Taylor, Ahmaud Arbery, Michael Brown, Oscar Grant, Atatiana Jefferson, Tamir Rice, Bettie Jones, Botham Jean

Jake Reynolds

Written by

https://jakereynolds.co All contents of this blog are not associated with my employer.

HackerNoon.com

Elijah McClain, George Floyd, Eric Garner, Breonna Taylor, Ahmaud Arbery, Michael Brown, Oscar Grant, Atatiana Jefferson, Tamir Rice, Bettie Jones, Botham Jean

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store