|
|
|
|
|
|
by awirth
2200 days ago
|
|
|
You would think so, but it turns out that this ("subdomain takeovers") is a very common mis-configuration for a lot of *aaS services. Enough so that some bug bounty programs won't pay out much for it or at all because it happens so much and they don't consider the shared-suffix issue very important. On the provider side though, requiring ownership verification (txt records, etc) introduces friction on the on-boarding process. It's likely any reasonably competent provider that doesn't implement verification has had a serious internal discussion about it and decided it's not worth thinning their funnel for. |
|
|