How I do subdomain take over in ten minutes?

Hi everyone, I am Muhammet and I am new in the cyber security. This is my first write-up on critical findings.

Firstly, Lets, look at the definition of these concepts.

Subdomain Takeovers :
Subdomain takeover vulnerabilities occur when a subdomain is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain.

Shopify :
Shopify is cloud-based software that operates on a monthly subscription model; it gives small business owners access to an admin panel where you can enter store data, add products, and process orders. The software is easy to use and comes with an easy learning curve, so you can get your online store up and running quickly.

The target was a pharmacy company let’s call it redacted.com. First of all, I found subdomains with powerful tools such as assetfinders, findomain, and amass so on. Then I separeted live subdomains with httprobe. Following these processes, I took screenshots all live subdomains along with aquatone. I reviewed whole screenshots quickly. One of the screenshots was attraced caught my attention which names “shop.redacted.com”. I saw this type of error page.

So next step is who is the owner of this domain. I opened whois.com and search redacted.com.

Whosis.com is a application where we can find about domain names.
Furthermore, It give us some details such as expire date, ip adressess, and the owner so on.

According to these information, We can start to attack the subdomain.

I created a trial version account on shopify by the name of “The subdomain was taken over by uslu78” which is not required you can give any name.

After that navigate to the sales channel. Domains and in third party domains add the vulnerable domain name. And connect it to the attacker apps.

As you can see, now the subdomain was taken over by me.

Steps To Reproduce

1) Create a Shopify account.

2) In the Shopify interface, enter Sales Channels > Domains from the menu on the left.

3) Click on Connecting existing domain on the screen that comes up.

4) Enter shop.vitabiotics.com.tr in the domain section on the screen.

5) Then click verify connection.

Impact

The domain takeover allows various attacks. As the full domain is attacker controlled it can be used to serve XSS attacks, phishing campaigns and might be used to bypass the Same Origin Policy on other redacted.com domains and services.

Finally, the company does not have a bug bounty program on bug bounty platforms. However, they rewarded me with amount of money which meet my expectations.

Thanks for reading.