Vulnerability Report-Subdomain Takeover @ Emurgo

Question

Vulnerability Report-Subdomain Takeover @ Emurgo

Mantisseclabs opened this issue 2 years ago · 4 comments

Mantisseclabs commented 2 years ago

Host: https://emurgo.io/

Issue: Subdomain Takeover

Affected Domain : http://testnet.seiza-website.emurgo.io/

POC:

https://drive.google.com/file/d/1ibwAtqGWq7Pe3_cpH50D0emI9pgro6ym/view?usp=share_link

Answer 1 · 2023-02-03T08:52:21.000Z

We cannot replicate this on our side, can you tell us how you did it?

Answer 2 · 2023-02-03T08:52:45.000Z

Can you do this with another domain? like testnet2.seiza-website.emurgo.io ?

Answer 3 · 2023-02-03T08:54:51.000Z

Did you point your local hosts files to point to heroku to make it look like you hacked one of our unused subdomains? :D

Answer 4 · 2023-02-03T11:41:38.000Z

The report is kinda meaningless, this subdomain is disabled a long time ago and is completely removed now. Although, thank you @phoenix20-git , this was a reminder for us to remove it from the codebase, so this change will be included in the nearest release.