Discourse hosted subdomain takeover possible?

[chackmate]

Is subdomains hosted at discourse is vulnerable to takeover or not?

[mardinyadegar]

It doesn't appear so, I found a discourse subdomain that was serving me a 404 when visiting. Upon trying to create a demo using the subdomain that was returning a 404, I was given the following error you can see in the attached image.

[pdelteil]

More info from 2017.

https://hackerone.com/reports/264494

[jbreed]

@pdelteil Following back up on this. Do we know what the site displays (search text) for when a domain is vulnerable? Seems like this is pretty old, but not seeing it anywhere.

[NagliNagli]

So yesterday I found a google acquisition who pointed to xxx.trydiscourse.com, I registered the discourse account with the trial and managed to takeover the CNAME the original one pointed to, for some weird caching issues the original domain remained at 404, but I managed to takeover the CNAME linked to it.

[h3cksamrat]

I found out that
*.trydiscourse.com is vulnerable
whereas,
*.hosted-by-discourse.com is not vulnerable.

So, subdomain takeover on discourse is possible in edge cases.

[ghost]

I can confirm that *.hosted-by-discourse.com is not vulnerable.
When you sign up they give you a unique CNAME and they validate that you have the correct CNAME in your DNS config.