Unbounce is not vulnerable for subdomain takeover.

[smiegles]

The attacker here used an un-ethical way to exploit Unbounce which is resolved now as far as I believe.

https://github.com/EdOverflow/can-i-take-over-xyz#unbounce

[edeirme-zz]

Going through the hackerone report it seems that this instance of subdomain takeover was indeed an exploitation of a vulnerability on the Unbounce services. In the same report, both parties (researcher and Unbounce security team) confirm that the Unbounce vulnerability has been fixed.
Unless there is another instance of subdomain takeover for Unbounce I'll agree with @smiegles that Unbounce's entry is a false-positive.

[rojan-rijal]

@edeirme , subdomain takeover with Unbounce is still possible. I confirmed this right now by creating a domain and then setting its CNAME to unbouncepages.com. This is what Unbounce asks its user to do. If you have a domain that is pointed to unbouncepages.com but does not look claimed, you can create a user account, add a PayPal or Credit Card and then add a custom domain. Once the custom domain is added and you publish a page, it should display the content in that domain.

[its0x08]

@rojan-rijal ur totally right .. last night i reported a subdomain takover and it was using unbounce. The sec team triaged it asap ..!
😅

[EdOverflow]

I think the main issue is the fact that we reference https://hackerone.com/reports/202767 in the Unbounce section which, as @smiegles pointed out, is not accurate and can no longer be exploited. We should remove that reference. Thank you for raising an issue, @smiegles.

[rosonsec]

Are you sure the takeover is still possible?
I am getting this error message when I try to "Add a New Custom Domain":

Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com.

[d55pak]

Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com

Any idea how we can now

[eraymitrani]

I don't think we can if someone has an unbounce account I can give you a link to test

[rojan-rijal]

@rosonsec @d55pak, Last I checked it was still possible. There might be some edge cases though for example, when I tested, I simply pointed my domain to Unbounces CNAME and see if it was vulnerable. In your case it seems like the domain was being used activity before and then removed from Unbounce. Unbounce might be blocking takeover on those types of domains but I am not sure yet. I will look into this further and update the ticket.
Cheers!

[eraymitrani]

@rojan-rijal if you DM me on Twitter I can give you a previously used domain that is still pointing to a unbounce CNAME

[arbazkiraak]

• I have tried to takeover 10 subdomains which has following Fingerprint
  The requested URL was not found on this server.

Results of 10 subdomains are either:

Domain is already in use.
( or )
Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com.

• Looks like unbounce preventing us from takeovers which they have used their service previously.

👍

[EdOverflow]

Sorry, I have been extremely busy lately and have not had a chance to update the project. We determined that there is only one rare case where one can hijack a subdomain pointing to Unbounce and that is if the team never had a project in the first place. The likelihood of this being the case is so minute that I personally do not think we should claim that it is possible to hijack subdomains pointing towards Unbounce. Thank you to everyone who participated in this discussions here; it is an absolute pleasure seeing everyone working together like this. :)

[ak1t4]

Hey there, I was reading this thread and seems pretty interesting. Which is a subdomain takeover?

A subdomain takeover is posible when the attacker can claim an unclaimed domain name through an alias or canonical name (cname) pointing to unbouncepages.com.
Some 3rd party services put filters to avoid this, like adding a random TXT record or hash or others methods to force and secure the DNS entries as unique per customer, which is NOT the case of unbouncepages.
An attacker can claim a domain not claimed over unbouncepages.com. So, We have 3 scenarios when we want takeover a subdomain over unbounce:

1. 'Domain is already in use' (which means that the domain is claimed)
2. 'Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com.' (Which means that the domain is NOT actually claimed or used but unbounce detect that the domain was used in the pass) [they put this filter as intent to avoid takeovers.]
3. Claim the domain (no errors: the domain is added to domains section correctly)

*The 3rd options is still available and works: so YES, unbouncepages is Vulnerable to Subdomain Takeover.

regards,
@ak1t4