Taking over the Medium subdomain using Medium

Medium is a blog hosting platform where a user can write their ideas and share them with a mass number of people. The great thing about medium is “Simplicity” everything is made easier whether it is User Interface/Experience, system, or functions.

After discovering my first critical server-side issue in the medium platform, I chose to help secure the medium by further exploring the vulnerabilities and did explore almost every feature, and every functionality.

While gathering information about the Medium assets, something draw my attention which was medium.engineering. The subdomain platform.medium.engineering had DNS entry pointed to but the medium blog was not active.

Image: DNS records for platforms.medium.engineering

In order to point our blog to the vulnerable subdomain medium membership is required. The process is simple to go to the medium account and add the domain.

Image: A record required to link a domain which is already done by Medium Engineering Team

Image: Subdomain linked.

And here we go.

Image: Subdomain Takeover

Sad Part: The Subdomain takeover issue is not eligible for a bounty cash reward according to the Medium Bug Bounty policy.