Subdomain Takeover via Tumblr
diophant0x opened this issue · comments
Service name
Tumblr
Fingerprint
A source domain has a DNS entry that points to Tumblr, however no active blog is associated with the domain.
DNS Record: CNAME domains.tumblr.com.
HTTP Response Status: 404 Not Found
HTTP Response Body: Whatever you were looking for doesn't currently exist at this address
Verification:
curl -s -N http://$SOURCE_DOMAIN_NAME | grep -E -q "Whatever you were looking for doesn't currently exist at this address" && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"
Takeover Steps
Domains with CNAME to Tumblr are vulnerable to subdomain takeover.
Step-by-step process:
- Log in to Tumblr account (MUST validate email address)
- Go to Tumblr Account drop down
- Click Edit Appearance
- Click on the pencil icon next to your username
- Select Use a custom domain
- Set custom domain to source domain name
- Click on Test Domain (Should return It's good!)
- Click on Save
Some reports on H1, for Tumblr blog takeovers:
https://hackerone.com/reports/113869
https://hackerone.com/reports/221631
Documentation
Tumblr Custom Domains
https://www.tumblr.com/docs/en/custom_domains
Although this takeover opportunity was already mentioned in the README doc, documentation on the takeover steps was missing from this repository. Created this issue in tandem with the PR to update the README in #241.
This takeover has changed, to use to a custom domain the dns record needs to point to domains.tumblr.com.
As seen here:
So, if the CNAME is different to domains.tumblr.com (probably old deployments) the target domain is not vulnerable.
if the CNAME is different to domains.tumblr.com
i have CNAME pointing to domains.tumblr.com but still shows exactly the same error, what could be the problem??
i understand, done. disabled proxy on cloudflare on https://tumblr.alexdolbun.com/ and this error is gone 🦄
Hi @pdelteil @diophant0x,
I had originally submitted the A Record based detection for this in #9619931. As far is made clear in the most up-to-date documentation provided by Tumblr, the A Record of 66.6.44.4 is still valid, however, it may be used for apex domain names only. I think this has always been the case, and it is possible I didn't check for this when I had originally made the commit adding instructions for taking over domain names pointing to Tumblr's web infrastructure. In any case, if dealing with a domain name that has more than two levels, i.e., not only subdomains, but any non-apex domain name (e.g., evil.com.au, evil.co.in, as well as mysite.evil.net) a CNAME Record pointing to the domains.tumblr.com host is required instead.
This issue can be closed once the current information on Tumblr apex and subdomain takeover (as qualified above) has been added to the README file. I would myself make a pull request for this but I don't currently have access to a computer.
Best,
Karan
Important thing to check before proceeding with the takeover:
- CNAME should be domains.tumblr.com (If example.com have CNAME like this
domains.tumblr.com) then takeover is possible for Tumblr else not.
This no longer appears possible as of 9 June 2023. See this reference and this reference. According to the references, custom domains must be purchased through Tumblr's own domain service.
On web, we’ve launched support for purchasing custom domains for your blogs directly through Tumblr. Existing custom domains linked to blogs will still work, but going forward, custom domains must be purchased through Tumblr. We’re still working on a domain transfer flow, more to come!
Legacy custom domains are domains registered outside of Tumblr that were connected to a Tumblr blog before we introduced Tumblr Domains. Rest assured that your legacy custom domains will remain the home address of your blog until you disable the "Use custom domain" toggle in blog settings under "Custom Theme". It’s important to note that once your legacy custom domain is disconnected, you will not be able to reconnect it to your Tumblr blog.