Skip to main content
Security Breached Blog

UBER Wildcard Subdomain Takeover | BugBounty POC

Muhammad Khizer Javed November 20, 2017

Hi All,

So Last month i decided to test Uber for Fun & Profit, So while scanning for subdomains to target i found a subdomain “” While navigating to the subdomain it redirected me to another domain Owned By Uber That was so The domain was new for me as i haven’t seen that before that domain is a static website so i was not sure what issues i can find on that.

i decided to scan for its subdomains also, so i setup the script with my custom subdomain wordlist, and as soon as the script started it started showing me off the subdomains that was in my list (for example my list started from www,blog,beta1,beta2,dev2 etc) well it was strange as my wordlist contains 6000 words to test for subdomains and it was showing that all of the subdomains are available, i decided to check these subdomains manually the subdomain i tested was “” and showed me an Error & the subdomain was resolving to *

Well most of us know that sometimes this error can lead to subdomain takeover ( read about subdomain takeover here )  so I logged in to my Heroku account and created an app named “Ubertst” and Then after that i added the subdomain to my domain list

and after that the the Error on subdomain was gone and it was changed to

That’s all i do and i have taken over one subdomain of uber.

For Further Impact identification @uranium238 Gave some ideas related to Google G-suite verification, As You know Google Gsuite need to verify a domain before giving access to the app and an attacker can send an receive emails as Uber using * subdomains By simply following these steps.


1) Register a domain as
2) Create a Google G-suite account as [email protected]
3) verify the domain by Uploading HTML to domain via Github
4) After verification i’m able to send and receive emails as [email protected]

also As The Domain is Owned by the attacker he can further use if for any miscellaneous purposes, he can add a site on google sites and can also b used as a Scam site.

Well after that,

I reported the issue to Uber.

but after reporting i turned to the other subdomains and only one subdomain was legit and all Other subdomain were vulnerable to takeover, Basically as heroku wildcard is Opened and i can register any subdomain.

Thanks For reading 🙂



status: Resolved

Bounty: A bit low!!