When a domain as recognizable as firefox.com has a dangling subdomain, it’s not just a technical misstep—it’s an open door for phishing, malware delivery, and trust abuse.

Security researcher martinvw earned a $500 bounty from Mozilla by identifying and successfully proving a subdomain takeover vulnerability on live.firefox.com. The root cause? A CNAME pointing to Fastly without a corresponding service registration, allowing the researcher to claim the subdomain and serve arbitrary content under Firefox’s domain umbrella.

This write-up details the vulnerability, exploitation process, and the potential real-world impact of such an oversight.

A subdomain takeover occurs when:

• A subdomain (e.g., live.firefox.com) points via CNAME to a service (like Fastly),
• But that service is not claimed or configured by the original domain owner,
• Allowing attackers to claim the endpoint and control what content is served.