Hijack any launchrock page in 1 minute

I was able to hijack any launchrock page by overriding a setting


Yes. This vulnerability lets any launchrock user to hijack your launchrock landing page (embedded widgets are safe)

Show me!

So who are affected?

Any custom launchrock domain pointing to sites.launchrock.com for CNAME, which is basically pointing your DNS to launchrock servers, is vulnerable to this attack.

I was successfully able to hijack my friend’s launch.examplesite.com as well as a few launch pages of my own.

$ dig launch.examplesite.com @ ;; ANSWER SECTION: launch.examplesite.com. 21599 IN CNAME sites.launchrock.com. sites.launchrock.com. 299 IN A

This works because launchrock does not check whether,

  1. you own that domain or not
  2. the domain is already in use by some other site (Tumblr does this)

So, anybody with malicious intentions can hijack at least 1000 sites that currently point to launchrock servers.

How can I quickly try this hack?

  1. Create a “new project” / use an existing project
  2. Point your project’s domain to an existing launchrock page’s domain (Feel free to use launch2.yekkada.com to test it out.)

Quick try for developers:

$.ajax({url: 'http://platform.launchrock.com/v1/updateSiteSetting', method: 'POST', data: {session_id: 'session_id', site_id: 'FV0CNZBC', setting_name: 'siteDomain', setting_value: 'launch2.yekkada.com'} });

$.ajax({url: 'http://platform.launchrock.com/v1/launchSite', method: 'POST', data: {site_id: 'FV0CNZBC'} });

It took me more time to get around the UI than to find this bug. I could not use the ‘advanced code editor’.

Is there no solution?

Until launchrock comes up with a solution (something along the lines of google app’s approach to custom domains), there seems to be only 1 solution to this if you want to continue to use launchrock.

Use your own server to “embed” the same code.

That’s what we ended up doing for our idea of VacantWalls.

Is embedding secure?

Yes, compared to pointing your site’s DNS to launchrock’s servers.

We have already brought this to launchrock’s attention and it was fixed within the week.

comments powered by Disqus