Pingdom.com Services Are Also Possible To Be Claimed.

Question

Pingdom.com Services Are Also Possible To Be Claimed.

GDATTACKER-RESEARCHER opened this issue 4 years ago · comments

@gdattacker commented 4 years ago

Service name

Pingdom.com

Proof

https://youtu.be/VuIO1l5RL8k

Documentation

https://help.pingdom.com/hc/en-us/articles/205386171-Public-Status-Page

jan.masarik · Answer 1 · Fri Oct 09 2020 19:28:28 GMT+0800 (China Standard Time)

@adiffpirate I believe @manasmbellani is right with his signature in subjack.

I did a test with following test cases when I enable public dashboard to stats.masarik.sh (takeoverable cases bold):

Enabled, but don't have any checks enabled. This responds with Public Report Not Activated (fingerprint introduced in #159), but it's a false positive as you cannot claim the dashboard with another account. Attempt to do so results in 500: Server Error in the pingdom UI (doesn't seem they check for this on purpose, but it seems secure 🙃)
Enable, with any check enabled. This results in expected state (dashboard shows up), and nobody can takeover it as long as your account is active.
Disable account that had public dashboard enabled. This opens a space for takeover as long as target's CNAME remains pointing to stats.pingdom.com. This works regardless if the dashboard had or hadn't checks enabled before.
Change domain name of public dashboard. This opens a space for takeover as long as target's CNAME remains pointing to stats.pingdom.com.
Point CNAME to stats.pingdom.com, but don't enable it in pingdom. As expected, this opens a space for takeover too (with same response as above.

As far as I can tell, #159 is addressing the false positive case of 1, and we need to address 3, 4 and 5 instead. Or did you have a different example that would allow to takeover This public report page has not been activated by the user cases @adiffpirate?

If you want a robust mechanism that errs on the false positive side, you could check for 404 instead. Both cases return 404, and it's a bit more probable that it will continue to work even if they change wording.

Luiz Paulo S. Monteiro · Answer 2 · Fri Oct 09 2020 22:10:54 GMT+0800 (China Standard Time)

@janmasarik Wow, really nice work testing/documenting that. I created the PR based solely on what I saw at the proof video and the error page that shows up there.

Thank you for going the extra mile. I'm gonna create another PR later and update the fingerprint (or you can do that if you wanna) 😊

jan.masarik · Answer 3 · Sat Oct 10 2020 00:17:53 GMT+0800 (China Standard Time)

Happy to help @adiffpirate! I've went ahead and made #178 to address this. :-)

dadsgone0 · Answer 4 · Thu Nov 09 2023 11:50:24 GMT+0800 (China Standard Time)

Supposedly, as of at least October (but possibly before that), this no longer works. could someone please check?