Skip to content

Google Cloud DNS hijacking of org-ci.gke.gitlab.net

HackerOne report #1823175 by d0xing on 2023-01-05, assigned to Ottilia Westerlund:

Report | How To Reproduce

Report

Hi!

I discovered that org-ci.gke.gitlab.net was pointing to an unclaimed Google Cloud DNS zone, making it vulnerable to NS takeover.

I've claimed it in my account and pointed it to a POC I'm hosting:
http://org-ci.gke.gitlab.net/ZDB4aW5nCg.html

Mitigation

  • Remove the NS records to the zone

Best regards,
d0xing

Impact

The impact of DNS hijacking / NS takeover is:

  • Any DNS records can be added (A, CNAME, MX for receiving/sending emails).
  • Account takeovers (cookies set to .gitlab.net will be shared with this subdomain and can be obtained)
  • Stored XSS (arbitrary javascript code can be executed in a users browser)
  • Phishing
  • Hosting malicious content

How To Reproduce

Please add reproducibility information to this section: