Security Research - Proof of ConceptAPI Management Subdomain Takeover confirmed
This Azure API Management endpoint is now controlled by an independent security researcher - not by the domain owner. A dangling DNS/CNAME record still points this hostname to an APIM instance name that had been decommissioned, and which was re-registered to demonstrate the risk.
Controlled hostname → caz-test-vik-apim.azure-api.net
What a real attacker could do
- Serve malicious APIs / responses under a trusted, allow-listed API domain.
- Harvest API keys, tokens & credentials from any client still calling this endpoint.
- Phishing & OAuth / SSO abuse if this host is a trusted origin or redirect target.
- Bypass CORS / allow-list trust the primary application places in this subdomain.
Nothing of yours was touched. This is an authorized, non-destructive proof of concept. No data, systems, or configuration belonging to the organization were accessed, modified or deleted - this page is served purely because of a dangling DNS record. Please refer to the corresponding report on your Bug Bounty Switzerland (BBS) program for details and remediation. The hostname can be released back to you immediately on request.
Reported by
Ramin Topfer - Bug Bounty Switzerland (BBS) ·
LinkedIn