Subdomain Takeover Pointing To Shopify

Hey,
IPFS Security Team

This Is Gaurav Kumar From India While Trying To Find Some New Bug Bounty Programs. I Found That Your sub domain webdisk.shop.ipfs.io is vulnerable to takeover as cname resolving to shopify . So I Tried To Takeover That And Success Fully Takeover.
POC STEPS:
create shopify account and add domain and verify cname all done.
Patch It Please.
@Regards

There are so many better ways to responsibly disclose this, then exploiting it and publicly disclosing the exploit without proper time for the domain owners to patch the vulnerability. This is a really bad practice in general, and can lead to disastrous consequences not only to domain owners, but to yourself since this is technically illegal.

In general I would imagine the best people to contact about this stuff is security@ipfs.io. While this isn’t exactly an issue related to go-ipfs you can find the GPG key for that email here

2 Likes

Thank you for the report, we have removed that CNAME record. As far as we can tell, the impact is that an attacker can host custom shopify shops under our domain, is that correct?

As @postables noted, please make future reports to security@ipfs.io.

Also, while I understand a PoC can help convince someone that a vulnerability is real and while this PoC appears to be completely harmless (thank you for that), postables is right again. Not everyone is reasonable when it comes to PoCs. Many such unreasonable parties have armies of lawyers and really don’t like to be embarrassed. Just be careful and CYA.

Legal Disclaimer: I’m not implying that we allow PoCs against our live infrastructure, just that we’re reasonable and this one was clearly harmless and well intentioned. In case someone tries to deface our website and claim “but you said that’s OK!”, I didn’t. :roll_eyes:

1 Like

Sorry about posting it here but I don’t find your security email anywhere after long tries so I thought better to make you aware and yes any attacker be able to post custom details and create shop on that domain as well as can fool users on your name and it seems to be treatable by users as subdomain of your parent one.

Earlier I tried to contact through your email I found which seems to be unavailable

so tried here