Short.io takeover

Question

Short.io takeover

pdelteil opened this issue 3 years ago · 12 comments

Service name

Short.io

Proof

dig target.tld

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52054
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;target.tld.		IN	A

;; ANSWER SECTION:
target.tld.	3600	IN	A	52.21.33.16
target.tld.	3600	IN	A	52.2.56.64

Documentation

https://help.short.io/en/articles/4065825-general-subdomain-setup-instruction

Answer 1 · 2022-03-16T04:27:54.000Z

I also added this template to nuclei.

Answer 2 · 2022-12-30T14:34:42.000Z

Hi!

Thanks for checking for domain takeover - we are aware of this type of attack and prevent it from happening.

I'll share our checks:

If you connect a domain example.com to Short.io, noone can add example.com subdomain except you
You can not delete a domain in our system if it is still marked as configured. We require to disconnect the domain first. It is annoying for our users, but we take security seriously

There can be a corner case when user points DNS records to our IP and does not add a domain, but should be a deliberate action because we display configuration instruction after the user adds a domain in our system.

Also, there can be a corner case when a user adds a domain he does not control, but it does not pose a security risk, only prevents legitimate domain owner from using our service (and this problem is solved by our support engineers).

Feel free to tell us if you don't think these measures are enough

Answer 3 · 2023-03-27T01:04:43.000Z

Hi!

Thanks for checking for domain takeover - we are aware of this type of attack and prevent it from happening.

I'll share our checks:
1. If you connect a domain example.com to Short.io, noone can add example.com subdomain except you

2. You can not delete a domain in our system if it is still marked as configured. We require to disconnect the domain first. It is annoying for our users, but we take security seriously
There can be a corner case when user points DNS records to our IP and does not add a domain, but should be a deliberate action because we display configuration instruction after the user adds a domain in our system.

Also, there can be a corner case when a user adds a domain he does not control, but it does not pose a security risk, only prevents legitimate domain owner from using our service (and this problem is solved by our support engineers).

Feel free to tell us if you don't think these measures are enough

confirm, not vulnerable anymore.

Answer 4 · 2023-06-17T19:48:57.000Z

Can you please update the Readme?

Answer 5 · 2024-05-01T09:34:52.000Z

@EdOverflow can you please update details about our website?

Answer 6 · 2024-05-09T21:51:35.000Z

Hello there @gugu,

I can confirm this takeover is still possible.

Answer 7 · 2024-05-28T17:31:48.000Z

Hello there @gugu,

I can confirm this takeover is still possible.

How ??

Answer 8 · 2024-05-29T05:40:22.000Z

Yes, more details will be helpful addition to your answer

Answer 9 · 2024-05-29T15:05:50.000Z

Hello there @gugu,
I can confirm this takeover is still possible.

How ??

Adding a custom domain discovered with the template. Test it yourself.

Answer 10 · 2024-05-29T15:06:34.000Z

Yes, more details will be helpful addition to your answer

where can I send you a report? BBH? 🤣

Answer 11 · 2024-05-30T06:19:18.000Z

Yes, more details will be helpful addition to your answer

where can I send you a report? BBH? 🤣

At mail hlynurfrey@gmail.com

Answer 12 · 2024-05-30T06:19:59.000Z

a custom domain discovered with the template. Test it you

what do you mean ?