Authentication bypass on Ubiquity’s SSO via subdomain takeover of ping.ubnt.com

I publicly disclosed a vulnerability that I responsibly disclosed to Ubiquity via the HackerOne platform. It concerned a subdomain takeover issue via Amazon Cloudfront (ping.ubnt.com) in combination with shared session cookies between subdomains on *.ubnt.com, which ultimately lead to a complete Authentication Bypass of their SSO system (sso.ubnt.com). It can be found here.

Belgian. IT Security. Bug Bounty Hunter.

Arne Swinnen

Belgian. IT Security. Bug Bounty Hunter.

Leave a Reply

Your email address will not be published. Required fields are marked *