Subdomain takeover on a subdomain under firefox.com

## Summary: Subdomain takeover via ██████████ of █████ ## Steps To Reproduce: The subdomain ████ is a CNAME to www.mozilla.org (which is hosted at ███████), however it was not currently registered at ███████. By claiming it I was able to take it over. As PoC please visit: ██████ It seems that the CAA records does not allow ████████ to generate an SSL certificate for me. ## Supporting Material/References: Following the documentation of this program I decided to report it: > Domain takeovers supported by a proof of concept for *.mozilla.org, *.mozilla.com, *.mozilla.net, *.firefox.com, *.mozgcp.net and *.mozaws.net in addition to the list of sites in scope. If the domain is pointing to a claimed instance by another company, then the report will not be eligible for bounty. ## Impact ## Summary: Given this is a very generic and thrust worthy domain name it is suitable for a malware campaign. Besides that it could maybe read some non-secure cookie but that is not that likely. We could however, use the domain to block access of individual user by setting some large cookies, see for example www.firefox.com after setting 100kb of cookies via http://████/large-cookies.html {F3852214} This action can also be performed via eg a tracking pixel.