Subdomain takeover via pantheon

I hope you are having a great time, I would like to share an issue which i discovered in less than 10 minutes and got rewarded $XXXX bounty within 24 hours of the submission.

So the story begins when I visited a scope, one of the subdomains and I received a certificate error. I removed SSL from the protocol and used HTTP only and the site opened without any certificate error.

The Site was giving 404 errors in the index page with pantheon stating “Unknown Site”, I felt it might be vulnerable to subdomain takeover issue.

Without wasting any time I signed up for pantheon, added payment details and created a sandbox domain, installed WordPress and added simple Title on the homepage as ” Subdomain Takeover”. The sandbox domain provided by pantheon looked like http://dev-subdomaintakeover[.]patheonsite.io/

And then I added the vulnerable domain to my pantheon account or routed the sandbox domain to vulnerable subdomain.

and within few seconds the site was updated with my sandbox domain content.

The same method was used to hack the website belonging to the current president of the United States Of America Donald J Trump.

References:

https://github.com/EdOverflow/can-i-take-over-xyz/issues/24

https://medium.com/@hussain_0x3c/hostile-subdomain-takeover-using-pantheon-ebf4ab813111

https://thehackernews.com/2017/02/donald-trump-website-hacked.html