Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Subdomain Takeover via Tumblr #240

Open
diophant0x opened this issue Oct 20, 2021 · 11 comments
Open

Subdomain Takeover via Tumblr #240

diophant0x opened this issue Oct 20, 2021 · 11 comments

Comments

@diophant0x
Copy link
Contributor

Service name

Tumblr

Fingerprint

A source domain has a DNS entry that points to Tumblr, however no active blog is associated with the domain.

DNS Record: CNAME domains.tumblr.com.
HTTP Response Status: 404 Not Found
HTTP Response Body: Whatever you were looking for doesn't currently exist at this address

Verification:
curl -s -N http://$SOURCE_DOMAIN_NAME | grep -E -q "Whatever you were looking for doesn't currently exist at this address" && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"

Takeover Steps

Domains with CNAME to Tumblr are vulnerable to subdomain takeover.

Step-by-step process:

  1. Log in to Tumblr account (MUST validate email address)
  2. Go to Tumblr Account drop down
  3. Click Edit Appearance
  4. Click on the pencil icon next to your username
  5. Select Use a custom domain
  6. Set custom domain to source domain name
  7. Click on Test Domain (Should return It's good!)
  8. Click on Save

Some reports on H1, for Tumblr blog takeovers:

https://hackerone.com/reports/113869

https://hackerone.com/reports/221631

Documentation

Tumblr Custom Domains
https://www.tumblr.com/docs/en/custom_domains
diophant0x added a commit to diophant0x/can-i-take-over-xyz that referenced this issue Oct 20, 2021
@diophant0x
Tumblr is vulnerable to subdomain takeover, please reference Issue Ed…
83c334a 
…Overflow#240
@diophant0x diophant0x mentioned this issue Oct 20, 2021
Merged
@pdelteil
Copy link
Contributor

This is an old one.

https://github.com/projectdiscovery/nuclei-templates/blob/master/takeovers/tumblr-takeover.yaml

@diophant0x
Copy link
Contributor Author

Although this takeover opportunity was already mentioned in the README doc, documentation on the takeover steps was missing from this repository. Created this issue in tandem with the PR to update the README in #241.

@pdelteil
Copy link
Contributor

pdelteil commented Mar 16, 2022
edited
Loading

This takeover has changed, to use to a custom domain the dns record needs to point to domains.tumblr.com.

As seen here:

Screenshot from 2022-03-16 01-42-06

So, if the CNAME is different to domains.tumblr.com (probably old deployments) the target domain is not vulnerable.

@OVERPEY
Copy link

OVERPEY commented Sep 5, 2022

if the CNAME is different to domains.tumblr.com

i have CNAME pointing to domains.tumblr.com but still shows exactly the same error, what could be the problem??
tumblr

@alexdolbun
Copy link

devs, the same on my

https://tumblr.alexdolbun.com

the same error, what could be the problem???)))

@alexdolbun
Copy link

i understand, done. disabled proxy on cloudflare on https://tumblr.alexdolbun.com/ and this error is gone 🦄

@qurbat
Copy link
Contributor

qurbat commented Dec 21, 2022
edited
Loading

Hi @pdelteil @diophant0x,

I had originally submitted the A Record based detection for this in #9619931. As far is made clear in the most up-to-date documentation provided by Tumblr, the A Record of 66.6.44.4 is still valid, however, it may be used for apex domain names only. I think this has always been the case, and it is possible I didn't check for this when I had originally made the commit adding instructions for taking over domain names pointing to Tumblr's web infrastructure. In any case, if dealing with a domain name that has more than two levels, i.e., not only subdomains, but any non-apex domain name (e.g., evil.com.au, evil.co.in, as well as mysite.evil.net) a CNAME Record pointing to the domains.tumblr.com host is required instead.

This issue can be closed once the current information on Tumblr apex and subdomain takeover (as qualified above) has been added to the README file. I would myself make a pull request for this but I don't currently have access to a computer.

Best,
Karan

@Sechunt3r
Copy link

Important thing to check before proceeding with the takeover:

  • CNAME should be domains.tumblr.com (If example.com have CNAME like this domains.tumblr.com) then takeover is possible for Tumblr else not.
POC

@zzeitlin
Copy link

This no longer appears possible as of 9 June 2023. See this reference and this reference. According to the references, custom domains must be purchased through Tumblr's own domain service.

On web, we’ve launched support for purchasing custom domains for your blogs directly through Tumblr. Existing custom domains linked to blogs will still work, but going forward, custom domains must be purchased through Tumblr. We’re still working on a domain transfer flow, more to come!

Legacy custom domains are domains registered outside of Tumblr that were connected to a Tumblr blog before we introduced Tumblr Domains. Rest assured that your legacy custom domains will remain the home address of your blog until you disable the "Use custom domain" toggle in blog settings under "Custom Theme". It’s important to note that once your legacy custom domain is disconnected, you will not be able to reconnect it to your Tumblr blog.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@pdelteil @alexdolbun @qurbat @Sechunt3r @zzeitlin @OVERPEY @diophant0x and others