Subdomain takeover of blog.snapchat.com

My dog waiting for the FBI to show up

The Issue

Snapchat does not have a lot of public facing subdomains, as of right now a basic subdomain scan on pentest-tools.com shows only 13 subdomains (compared to 799 for Facebook). I figured with a high profile bounty program like Snapchat these would be tested pretty hard and decided not to bother. However, I’ve been doing some Wordpress hacking lately and blog.snapchat.com caught my eye.

There’s nothing here.

The DNS record for blog.snapchat.com shows a CNAME record and some logic pointing to snapchat-blog.com, which resolved to the below page.

Tumblr 404 page

I have limited experience with Tumblr but I assumed this was an unclaimed blog page. My first guess was that in the background they were pointing to some website like snapchat.tumblr.com, but that blog was already taken, so this was wrong.

After some digging I found out Tumblr has the same custom domain setup as many other websites:

Point your DNS to their IP through an ANAME record

Let the website deal with the CNAME stuff.

I was able to verify this by nslookup, seeing that snapchat-blog.com pointed to 66.6.32.21, an IP owned by Tumblr for custom domain routing.

# nslookup snapchat-blog.com Non-authoritative answer:

Name: snapchat-blog.com

Address: 66.6.32.21

Viewing Google’s cached copy of this page shows this domain was properly claimed the day before (9/24). Snapchat must have accidentally removed the custom domain claim from their Tumblr account in the last 24 hours, probably in preparation for switching to snap.com/news for their recent re-branding.

After I figured out how Tumblr handled CNAMEs it was as easy as going to my account settings and claiming the domain name.

Tumblr custom domain settings

My First Tumblr

Visiting blog.snapchat.com (which redirects to snapchat-blog.com) then showed the following