TL;DR: https://hackerone.com/reports/171942 My dog waiting for the FBI to show up The Issue does not have a lot of public facing subdomains, as of right now a basic subdomain scan on shows only 13 subdomains (compared to 799 for Facebook). I figured with a high profile bounty program like Snapchat these would be tested pretty hard and decided not to bother. However, I’ve been doing some Wordpress lately and caught my eye. Snapchat pentest-tools.com hacking blog.snapchat.com There’s nothing here. The DNS record for shows a CNAME record and some logic pointing to , which resolved to the below page. blog.snapchat.com snapchat-blog.com Tumblr 404 page I have limited experience with Tumblr but I assumed this was an unclaimed blog page. My first guess was that in the background they were pointing to some website like , but that blog was already taken, so this was wrong. snapchat.tumblr.com After some digging I found out Tumblr has the same custom domain setup as many other websites: Point your DNS to their IP through an ANAME record Let the website deal with the CNAME stuff. I was able to verify this by nslookup, seeing that snapchat-blog.com pointed to 66.6.32.21, an IP owned by Tumblr for custom domain routing. # nslookup snapchat-blog.com Non-authoritative answer:Name: snapchat-blog.comAddress: 66.6.32.21 Viewing Google’s cached copy of this page shows this domain was properly claimed the day before (9/24). Snapchat must have accidentally removed the custom domain claim from their Tumblr account in the last 24 hours, probably in preparation for switching to for their recent re-branding. snap.com/news After I figured out how Tumblr handled CNAMEs it was as easy as going to my account settings and claiming the domain name. Tumblr custom domain settings My First Tumblr Visiting (which redirects to ) then showed the following blog.snapchat.com snapchat-blog.com Snapchat blog page I decided to put my name on this subdomain for a valid PoC, narcissism, and to aid Snapchat in fixing the vulnerability if they did not see the Hackerone report first. This ultimately led to me not receiving a bounty, since I did not handle this in a quieter matter. That was not my initial intention, but I can understand their position. Resolution Timeline 9/25/16 3:08 PM CDT: Issue reported to Snapchat on Hackerone 7:18 PM CDT: Snapchat confirms the vulnerability and asks me to redirect to the real blog for a temporary fix. They also redirected to for a stronger fix. blog.snapchat.com snap.com/news 8:33 PM CDT: Email contact begins to help transfer the snapchat-blog.com Tumblr ownership 9/26/16 9:59 AM CDT: Tumblr ownership is transfered to Snapchat 10/4/16 9:37 PM CDT: Report is closed 10/5/16 1:41 PM CDT: Request for public disclosure approved Thank you to Snapchat for the quick response time and for running such a great bug bounty program. If you are interested in their program please visit . https://hackerone.com/snapchat

Facebook

Google

Too Long; Didn't Read

Questions about cloud security? Get answers here.

Subdomain takeover of blog.snapchat.com

Too Long; Didn't Read

Companies Mentioned

Jake Reynolds

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Subdomain takeover of blog.snapchat.com

Too Long; Didn't Read

Companies Mentioned

Jake Reynolds

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES