New ask Hacker News story: A GitHub user is taking over dozens of domains they don't own via GitHub Pages
A GitHub user is taking over dozens of domains they don't own via GitHub Pages
37 by eugeniub | 7 comments on Hacker News.
TL;DR — A user named haxorlife took over 65 domains today, by exploiting a security flaw in the custom domain configuration in GitHub Pages. Earlier today, my GitHub Pro subscription expired. I let it expire, because a month ago, I decided to downgrade to the Free plan. I downgraded because a month ago, GitHub announced that Free plans would have unlimited private repositories. However, there was a detail I didn't catch. On the Free plan, you can have Pages on a public repo, or a private repo without Pages. But you can’t have Pages on a private repo. So what happened when my plan downgraded this morning? My GitHub Pages configurations got quietly deleted. No warning was given. My websites just disappeared. I only learned about it with an alert from Keybase. In the time between my sites getting deleted, and my discovery, a GitHub user by the name of haxorlife created a repository at http://bit.ly/2Dq4CZR, named after one of my affected domain names, iosref.com. And they configured iosref.com as the custom domain for that repo. So when I went to my website, I was suddenly faced with "pwned by FA Haxor [!]". It turns out that GitHub doesn't require proof of ownership in order to set a custom domain. (Other services like Gitlab require proof via a TXT DNS record.) Worse yet, if I try to re-add my own domain to my repository, I'm shown the error: "The CNAME iosref.com is already taken." And the support page only says: "If you don't own the repository that contains the CNAME file with your custom domain, try to contact the owner and ask them to update their custom domain." There are 65 repositories owned by haxorlife with identical contents, which means that up to 65 domains are affected by this one user. I personally deleted my GitHub-related DNS records for my domain, and later moved my site to DigitalOcean. If you have an affected domain, I urge you to do the same. I contacted GitHub support four hours ago, but haven't heard back yet.
37 by eugeniub | 7 comments on Hacker News.
TL;DR — A user named haxorlife took over 65 domains today, by exploiting a security flaw in the custom domain configuration in GitHub Pages. Earlier today, my GitHub Pro subscription expired. I let it expire, because a month ago, I decided to downgrade to the Free plan. I downgraded because a month ago, GitHub announced that Free plans would have unlimited private repositories. However, there was a detail I didn't catch. On the Free plan, you can have Pages on a public repo, or a private repo without Pages. But you can’t have Pages on a private repo. So what happened when my plan downgraded this morning? My GitHub Pages configurations got quietly deleted. No warning was given. My websites just disappeared. I only learned about it with an alert from Keybase. In the time between my sites getting deleted, and my discovery, a GitHub user by the name of haxorlife created a repository at http://bit.ly/2Dq4CZR, named after one of my affected domain names, iosref.com. And they configured iosref.com as the custom domain for that repo. So when I went to my website, I was suddenly faced with "pwned by FA Haxor [!]". It turns out that GitHub doesn't require proof of ownership in order to set a custom domain. (Other services like Gitlab require proof via a TXT DNS record.) Worse yet, if I try to re-add my own domain to my repository, I'm shown the error: "The CNAME iosref.com is already taken." And the support page only says: "If you don't own the repository that contains the CNAME file with your custom domain, try to contact the owner and ask them to update their custom domain." There are 65 repositories owned by haxorlife with identical contents, which means that up to 65 domains are affected by this one user. I personally deleted my GitHub-related DNS records for my domain, and later moved my site to DigitalOcean. If you have an affected domain, I urge you to do the same. I contacted GitHub support four hours ago, but haven't heard back yet.
No comments