Swiss Post Security Demo - Subdomain Takeover POC

⚠️ IMPORTANT DISCLAIMER

This is a SECURITY DEMONSTRATION ONLY for responsible disclosure purposes.

Target Vulnerability: help.swisspost.ch

Researcher: pentester1 (YesWeHack)

Date: February 4, 2026

Purpose: To demonstrate a verified vulnerability without exploitation.

📋 Vulnerability Summary

The subdomain help.swisspost.ch is vulnerable to takeover due to a dangling CNAME record pointing to a deleted Vercel deployment.

🔍 DNS Configuration

Current Record:

help.swisspost.ch. 300 IN CNAME 44f725bca95a2519.vercel-dns-013.com.

Status: VULNERABLE

🚨 Current State

Vercel Deployment: 404 (Deleted)

Cached Response: 301 Redirect

Risk Level: HIGH

When cache expires: Complete takeover possible

🎯 Impact Assessment

Full subdomain control
Phishing attacks
Session hijacking
Brand reputation damage
Search engine poisoning

📊 Technical Evidence

# Current HTTP Responses: # Via help.swisspost.ch (Cached): HTTP/2 301 location: https://help.post.ch/ server: Vercel x-vercel-id: bom1::xxxxx-xxxxxxxxxx-xxxxxxxxxxxx # Direct Vercel Deployment (Actual): HTTP/2 404 x-vercel-error: DEPLOYMENT_NOT_FOUND

🛡️ Required Remediation

Immediate: Remove CNAME record for help.swisspost.ch
Action: Point to valid Swiss Post service or remove subdomain
Prevention: Monitor for similar dangling records
Verification: Confirm fix with security researchers

✅ This Demonstration

This page shows what could be deployed on the vulnerable subdomain. The identical DNS configuration has been reproduced here to prove the vulnerability exists.

Key Difference: This uses a researcher-owned domain (hackerbughunter.online) instead of exploiting Swiss Post's domain.

🔐 Swiss Post Security Demonstration