How I took over several Stanford subdomains. Also, let me explain you the pain to report it!

While using nuclei and the template detect-all-takeovers.yaml, I found several (over 20) subdomains of Stanford (stanford.edu) what were pointing to this error page:

That was a clear indicator that those subdomains were susceptible to be taken over. The site I usually use to gather information about this type of attacks is Can I take Over XYZ?. But, this post also helped me to get started.

These are the steps I follow in order to take over the subdomains:

After selecting Wordpress, it takes a while to deploy:

3. Added a credit card, then subscribed as ‘Professional’ to setup the sandboxed domain.

4. Added the subdomains

One example

All of them

Now, the content of the subdomains are controlled by me!

One example: https://foodsecurity.stanford.edu

What’s the reason of this issue?

I tried to find out if those sites were ever properly linked to a pantheon account, but according to Waybackmachine they were not. So I guess they created the subdomain, pointed the DNS registry to Pantheon's, but never configure them properly.

The DNS registry of one of the subdomains was the following:

Did you think the difficult part was the take over? Stanford has a private bug bounty program, only for students and employees. That's weird. First rule of the game is:

Right away I knew I was not getting paid a bounty for this subdomain take over (another one I accomplish, got paid $500). But still wanted to report the issue, I never imagine it would have taken me so much time just to send a report!

First wall

After clicking here:

This is where I ended up.

Many hackers publish their discoveries on Twitter, sometimes corporations are faster and more reliable on Twitter. I was wrong. Maybe Facebook would work better?

Tickets, please give me a ticket!

After heavy googling, I ended up submitting a ticket. A ticket.

After 6 days, no answer, no thanks, no bounty. I will update this post if something change.