UBER Wildcard Subdomain Takeover | BugBounty POC

Hi All,

So Last month i decided to test Uber for Fun & Profit, So while scanning for subdomains to target i found a subdomain “design.uber.com” While navigating to the subdomain it redirected me to another domain Owned By Uber That was https://www.uber.design/ so The domain was new for me as i haven’t seen that before that domain is a static website so i was not sure what issues i can find on that.

i decided to scan for its subdomains also, so i setup the script with my custom subdomain wordlist, and as soon as the script started it started showing me off the subdomains that was in my list (for example my list started from www,blog,beta1,beta2,dev2 etc) well it was strange as my wordlist contains 6000 words to test for subdomains and it was showing that all of the subdomains are available, i decided to check these subdomains manually the subdomain i tested was “www.mobile.uber.design” and showed me an Error & the subdomain was resolving to *.herokudns.com

Well most of us know that sometimes this error can lead to subdomain takeover ( read about subdomain takeover here )  so I logged in to my Heroku account and created an app named “Ubertst” and Then after that i added the subdomain www.mobile.uber.design to my domain list

and after that the the Error on subdomain was gone and it was changed to

That’s all i do and i have taken over one subdomain of uber.

For Further Impact identification @uranium238 Gave some ideas related to Google G-suite verification, As You know Google Gsuite need to verify a domain before giving access to the app and an attacker can send an receive emails as Uber using *.uber.design subdomains By simply following these steps.

Steps:

1) Register a domain as admin.uber.design
2) Create a Google G-suite account as support@admin.uber.design
3) verify the domain by Uploading HTML to domain via Github
4) After verification i’m able to send and receive emails as support@admin.uber.design

also As The Domain is Owned by the attacker he can further use if for any miscellaneous purposes, he can add a site on google sites and can also b used as a Scam site.

Well after that,

I reported the issue to Uber.

but after reporting i turned to the other subdomains and only one subdomain www.uber.design was legit and all Other subdomain were vulnerable to takeover, Basically as heroku wildcard is Opened and i can register any subdomain.

Thanks For reading 🙂

Program: https://hackerone.com/uber

Report: https://hackerone.com/reports/275337

status: Resolved

Bounty: A bit low!!

About the Author

babayaga47

Ethical Hacker, Bug Bounty Hunter/ Pentester & Gamer

7 thoughts on “UBER Wildcard Subdomain Takeover | BugBounty POC

Leave a Reply

%d bloggers like this: