Subdomain takeover on launcher-beta.mojang.com, launchermeta-beta.mojang.com

I am reporting this on behalf of me and my friend, tanpug, we found the bug together.

I was able to claim the above two subdomains using Azure’s CDN service. 

Steps to reproduce:

1. Using dig I found that both subdomains resolved to Azure CDN endpoints that did not exist.
2. I created a web page using Azure and then registered both CDN endpoints to point to the website I created (following the guide here: https://m0chan.github.io/2019/12/16/Subdomain-Takeover-Azure-CDN.html)
3. I added the subdomains as custom domains on the CDN settings in Azure, waited a bit, and the subdomains now showed the proof-of-concept page I had set up.

Supporting material:

https://launcher-beta.mojang.com

https://launchermeta-beta.mojang.com

Impact:

This is extremely vulnerable to attacks as anyone who controls the subdomain can make it seem like the content they are hosting is coming from Mojang. This includes malicious content which could be mistaken by users as legitimate as the base domain is mojang.com. A more detailed description of the bug can be found at https://0xpatrik.com/subdomain-takeover/.

I came across this bug while scanning subdomains for Mojang, then checking using dig to see which subdomains resulted in an NXDOMAIN status. I then checked if the CNAME record was possible to do a subdomain takeover with, and it was, so I followed the steps above and was able to successfully take over the subdomains.

Thanks, I hope whoever is reading this is doing well.