MarkMonitor left - 60,000 domains

I participate in a lot of bug bounty programs, where I try to automate the discovery of as many security issues as possible.

Many companies do not know all of the assets that they have on the internet. When you know their attack surface better than them, you can find a lot of otherwise trivial issues. One of the easiest types of issues to automatically discover are subdomain takeovers, where a DNS record or a load balancer points traffic towards an unknowing third party. If testing.example.com is pointed towards Amazon S3, what will S3 do if that bucket hasn't been created yet? It will just throw a 404 error — and wait for someone to claim it.

If we claim this domain inside S3 before example.com's owners do, then we can claim the right to use it with S3 and upload anything we want. By necessity, the ability to serve HTML and JavaScript is pretty impactful to the web platform — it bypasses SameSite for that domain, allows reading and setting unprotected and widely-scoped cookies, etc. Knowing this, I was very surprised to see hundreds of alerts from my automation in a few minutes — all claiming to have successfully captured S3 buckets for root domains belonging to major companies. Thinking I had broken it and it had gone off the rails, I quickly took a look and noticed that it had indeed worked, and my content was being served on a ton of domains with bug bounty programs.

At this point I had no idea what to do — why were there so many impacted domains across many organizations, and how was I even going to submit all of these issues? However, I noticed that the domains were slowly being changed to a MarkMonitor parked domain page. It became clear that these were all parked domains with varying degrees of use, and they were all registered via MarkMonitor. This is a bit surprising, because MarkMonitor sells themselves as the domain registrar that does not make mistakes. It would be hard to understate the cost of losing domains for a tech company — anything that is pointed to them will immediately begin directing their traffic elsewhere. MarkMonitor is not a cheap solution to this problem, but it is widely used (apparently by "more than half of the Fortune 100", per the page).

Full Version


Many companies — including MarkMonitor themselves — do not run a vulnerability disclosure or bug bounty program, so they are not included in my scanning and would not have been detected.