Thank you for the pull request, @prial261. Please update the issue ticket with these details , link directly to your comment in the table reference, and then please add an actual fingerprint if possible in the "Fingerprint" column. I am trying to keep the table as uniform as possible; thank you for your understanding.

Thank you, @prial261.

Has someone informed Statuspage about this?

@JLLeitschuh , Informed . No replay from them :')

@prial261 what about this scenario ?
status.company.com. 299 IN CNAME company.statuspage.io.
company.statuspage.io. 59 IN CNAME elb-status-us.statuspage.io.
elb-status-us.statuspage.io. 59 IN A 18.234.32.149

Looks like time to say good bye Subdomain takeover by Statuspage

If I am not wrong statuspage was known to be vulnerable before you created this issue. If what I have just said is true, I don't agree with taking an exact copy of the knowledge from this repository or another source and try to make money out of it.
This is like the guy who reported to Shopify, we all know about it including Shopify and he went ahead to report it and try to make some money with an exact copy of the knowledge someone else shared with all of us.
That would be very easy then, I go to the table at https://github.com/EdOverflow/can-i-take-over-xyz
and take all the services "Vulnerable" and report to them, that would be silly in my opinion.
The gift is the knowledge, not the bug. I mean, if somebody shares something, he shares the information and not a report for free.
Anyway, congratulations for the reward.

@melardev , no you are wrong . Before creating this pull statuspage was Not Vulnerable . According to #65 Statuspage no longer vulnerable what was created before my pull then I discovered that they are not doing proper verification of ownership what can be bypassed and that's why I reported it to them to let them know and I also wasn't expecting a bounty for that report and also this is not about earning $$$ , If I wish to do that then I would search for vulnerable companies rather then reporting to directly to the company .

You can see more info from :- https://help.statuspage.io/help/domain-ownership

cheers

@prial261 I was not making an accusation against you because I was not quite sure,
I knew it was vulnerable in the past, but I did not check if they fixed this before you opened this issue, but I still wanted to leave this comment for others, because even though it is not applicable against you, it may be for others, I have seen many times people taking the "Vulnerable" services posted here and reporting to them to make money, which is crazy, it is like if I take the Citrix exploit disclosed by "Project Zero India" and report it to Citrix claiming I found a bug in their software ...
Here we have one cool example of what I have just said: #127

No hate to nobody, just saying what I think is fairer and more respectful to the original finders.

Hi @melardev ,
I understand your side , you are right that it is not ethical to use others ideas claiming as yours to make money . I also didn't thought about reporting it as reporting will result good by to takeover forever but then I understand that if I don't report someone will do it for sure 😄

I'm surprised Atlassian was fine with this being publicly disclosed before they fixed it. Their BB program explicitly calls out disclosure is only allowed if they agree to disclosure.

@JLLeitschuh , Sadly I though to report it after pulling it here , I also added this link as reference in that report too .

Looks no more vulnerable (maybe in some old specific cases, or maybe in cases where some box share same dns pointing..)

Recently, I've come across a subdomain "xyz.program.com" pointing to statuspage services. I'm able to add the subdomain to my statuspage account.

This was not working for couple of other programs, and I would get the message, the Custom domain is already in use.

In the past, on completion of setting up the custom domain to your page, when visiting the custom domain (without activating) would redirect you to your page, hence confirming the takeover. The POC would required a $29 plan to redirect to work for the public.

Now, for the "xyz.program.com" it is still redirecting to the statuspage homepage. Anyone aware if activating the account, would ensure the POC to be hosted. I do not want to spend $29, if it won't work.

Thanks
sumgr0

Can stspg-customer.com subdomain still be taken over?

@daxin09pp , This issue was fixed from their side , so No more Takeover Possible . I will push update soon on this repo .

Thank you for your quick reply. @prial261

Status page pushed a DNS verification in order to prevent malicious takeovers what they mentioned in https://support.atlassian.com/statuspage/docs/configure-your-dns/

However when I created this Pull request I was able to bypass this DNS verification as there was no mechanism what verifies if the expected value for customers CNAME record matches with the statuspage account what was fixed later after my report to their program.

So no more takeover here until any genius find any other way :D

Happy hacking <3