Hostile subdomain takeover using Heroku/GitHub/Desk + more
blog.detectify.comFrans - if my memory serves right, I vaguely remember seeing this on someone's blog roughly 1-2 weeks ago. Did you guys independently find this or got the idea from that blog?
Hey, You are correct, the Heroku No Such App issue is not new. Heroku also tries to highlight this in their Knowledge-Base-entry about wildcard domains and how this should be properly handled when connecting to them.
I would say that for the majority of the providers we talked with this was already known. The problem is that the users who really are affected does not know about this.
As our blog entry says, this issue is not isolated to Heroku, and while doing the research about this, we noticed other issues with it.
One of the most severe things is that Heroku actually provides you with the wildcard-SSL that is being used for all domains that is connected. So the attacker's page is also served by SSL. After going through the biggest providers we felt the urge to actually publish this, as it is not well known. And since the attack is non-technical, also trying to provide something to easy see if you're affected by it.
Yes, understood. Great job as always! I just wanted to make sure I am not missing anything here :)
Here, found it - http://esevece.tumblr.com/
Great work, will sign up to scan my full site. Thanks.