Nov 21, 2019

[ DNS Takeover ] Potentially Takeover for all SubDomains That uses Campaign Monitor Newsletters Services


Takeover for all SubDomains That uses Campaign Monitor  Newsletters Services 

Recently, I've found that all Campaign Monitor  Newsletters Services are vulnerable to Potentially Takeover. I've reported it 2 months ago and No reply due too I was banned from Bugcrowd So I will share this takeover here.

Explain of My Found:
There are many companies thats use Campaign Monitor as email service. so they must create  subdomian for this service example : 
and must have cname is belong to Campaign Monitor services

all connected subdomains to this cname
can read all Campaign for other users 
So any attacker can create a new Campaign 
and connect it to the main subdomain.

Poc example :
I've attached my Campaign to a vulnerable subdomain
you will see it redirect to my DNS and my fake Campaign


Share This
Next Post

Security Researcher at Many Websites - Bug Hunter - Civil Engineer Student