[bdittmer]

This is a lot like a bug I found in Heroku's system a few years ago. Basically, if someone doesn't claim the wildcard subdomain for their primary domain and has a wildcard SSL cert anyone could (can?) claim subdomains. A quick google search yielded hundreds of exploitable domains. At the time it seemed like a pretty big vector for phishing.

I have no idea if they fixed this and they gave me a t-shirt.

[brandur]

I can't recall all the exact details, but there is some validation logic in place along the lines of "if there's a wildcard domain installed then newly added subdomains must be on the same account as the wildcard's owner". You could give it a shot, but I don't think this attack would work.

(I used to help maintain the system responsible for this, but don't work there anymore.)

[bdittmer]

This was probably 2012 or 2013. I'll try to find the write up I sent them, but this check definitely did not exist then

edit: here's what we sent to heroku https://gist.github.com/bdittmer/6461b7a5093acd7d6263

[dzhiurgis]

> they gave me a t-shirt.

I had same experience with Salesforce