Discourse hosted subdomain takeover possible?
chackmate opened this issue · 6 comments
Is subdomains hosted at discourse is vulnerable to takeover or not?
More info from 2017.
@pdelteil Following back up on this. Do we know what the site displays (search text) for when a domain is vulnerable? Seems like this is pretty old, but not seeing it anywhere.
So yesterday I found a google acquisition who pointed to xxx.trydiscourse.com, I registered the discourse account with the trial and managed to takeover the CNAME the original one pointed to, for some weird caching issues the original domain remained at 404, but I managed to takeover the CNAME linked to it.
I found out that
*.trydiscourse.com is vulnerable
whereas,
*.hosted-by-discourse.com is not vulnerable.
So, subdomain takeover on discourse is possible in edge cases.