Azure Devops account takeover via dangling subdomain takeover

Published Mon, Nov 7th, 2022


Binary Security discovered and registered two dangling subdomains corresponding to subdomains at Had these been discovered and registered by an attacker, this would have been equivalent to a 1-click vulnerability for Azure DevOps: the attacker could have crafted a URL referring to the sign-in API for Azure DevOps Services ( using one of the two subdomains in the "reply_to" field (since subdomains of would be allowed by the API). If clicked on by a target Azure DevOps user, this would have sent an authentication token to an attacker-controlled server, thereby allowing account takeover.

Affected Services



None required

Tracked CVEs

No tracked CVEs


Disclosure Date
Thu, Feb 18th, 2021
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Christian August Holm Hansen, Binary Security