[bprescott-gitlabtest-0.do.gitlap.com] Stale DigitalOcean IP is still attached to GitLab owned host
⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.
HackerOne report #1876122 by hamza_g on 2023-02-16, assigned to @cmaxim:
Report | Attachments | How To Reproduce
Report
bprescott-gitlabtest-0.do.gitlap.com which is pointing to 178.128.45.166 seems to be vulnerable to elastic IP subdomain takeover.
Issue root cause :
When you spin up EC2 instances which have an IP associated with them (178.128.45.166 in our case), and you create DNS records pointing to these IPs, but you forget to remove the DNS records after the EC2 instance has been given a new IP or has been destroyed. the EC2 instance IP can be assigned to other public cloud customers.
POC
You can use the openssl command to print SSL certificate information for bprescott-gitlabtest-0.do.gitlap.com
openssl s_client -connect bprescott-gitlabtest-0.do.gitlap.com:443 | openssl x509 -text -noout 
As you can see the associated commonName is bookings.dhcourier.co.uk which seems to be owned by dhcourier.co.uk
Recommendations
Remove bprescott-gitlabtest-0.do.gitlap.com DNS entry
Impact
The impact of dangling elastic IP subdomain takeover attacks are more serious than a typical subdomain takeover where you can only control the content being served. With dangling elastic IP takeovers, it is possible for an attacker to do the following:
- Claim SSL certificates for the subdomain via ACME TLS challenges
- Listen for traffic on all ports (potentially discovering sensitive information still being sent to the subdomain)
- Run server-side scripts with the ability to steal HTTPOnly cookies, typically leading to a one-click account takeover attack when cookies are scoped to *.domain.com
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: