Nov 21, 2019

[ DNS Takeover ] Potentially Takeover for all SubDomains That uses Campaign Monitor Newsletters Services

Advertisement







Takeover for all SubDomains That uses Campaign Monitor  Newsletters Services 


Recently, I've found that all Campaign Monitor  Newsletters Services are vulnerable to Potentially Takeover. I've reported it 2 months ago and No reply due too I was banned from Bugcrowd So I will share this takeover here.

Explain of My Found:
There are many companies thats use Campaign Monitor as email service. so they must create  subdomian for this service example : 
newsletter.domain.com 
and must have cname 
cname.createsend.com
createsend.com is belong to Campaign Monitor services

all connected subdomains to this cname
can read all Campaign for other users 
So any attacker can create a new Campaign 
and connect it to the main subdomain.


Poc example :
I've attached my Campaign to a vulnerable subdomain
you will see it redirect to my DNS and my fake Campaign



********************************************************


Share This
Latest
Next Post

Security Researcher at Many Websites - Bug Hunter - Civil Engineer Student

0 comments: