Subdomain Takeovers are a common but often overlooked vulnerability that can have serious consequences. They occur when a subdomain points to an external service (like GitHub Pages, Heroku, or Ngrok) that is no longer in use, but the DNS record is still active. This opens the door for an attacker to claim that resource and serve content under your domain, potentially leading to phishing, brand abuse, or worse.
When visiting a vulnerable subdomain like:
http://subdomain.example.com
You’d see this error:
Tunnel subdomain.example.com not found
This usually means the subdomain has a dangling CNAME, pointing to a service that’s no longer active.
If you inspect the DNS records, you might find a CNAME entry like:
xxxxxxxx.cname.us.ngrok.io
This indicates that the domain was using Ngrok’s custom subdomain feature—which becomes exploitable when the tunnel is no longer active.
Exploiting the Takeover (Prior to Fix)
To exploit this (when it was still open), you’d need a paid Ngrok account, since custom subdomains are only available for premium users:
✅Step-by-Step Exploitation
- Create a Ngrok account
→ Sign up at ngrok.com - Set up Ngrok locally
→ Follow the guide: https://dashboard.ngrok.com/get-started - Reserve the subdomain
→ Go to Ngrok Reserved Domains
→ Enter the vulnerable subdomain (e.g.,subdomain.example.com) and click Reserve
- Run the tunnel on your local machine:
ngrok http -region=us -hostname=subdomain.example.com 80
Now, the subdomain is yours. Any request to subdomain.example.com would be routed to your local server via Ngrok.
Official References
Current Status
This issue has now been resolved by Ngrok. Attempting to reserve a subdomain that previously belonged to another user or domain now results in an error or restriction.
Disclaimer:
This post is purely educational. Subdomain takeover testing should always be conducted on systems you own or have explicit permission to test.