
A GitHub user is taking over dozens of domains they don't own via GitHub Pages - eugeniub
TL;DR — A user named haxorlife took over 65 domains today, by exploiting a security flaw in the custom domain configuration in GitHub Pages.<p>Earlier today, my GitHub Pro subscription expired. I let it expire, because a month ago, I decided to downgrade to the Free plan. I downgraded because a month ago, GitHub announced that Free plans would have unlimited private repositories. However, there was a detail I didn&#x27;t catch. On the Free plan, you can have Pages on a public repo, or a private repo without Pages. But you can’t have Pages on a private repo. So what happened when my plan downgraded this morning? My GitHub Pages configurations got quietly deleted. No warning was given. My websites just disappeared. I only learned about it with an alert from Keybase.<p>In the time between my sites getting deleted, and my discovery, a GitHub user by the name of haxorlife created a repository at https:&#x2F;&#x2F;github.com&#x2F;haxorlife&#x2F;iosref.com, named after one of my affected domain names, iosref.com. And they configured iosref.com as the custom domain for that repo. So when I went to my website, I was suddenly faced with &quot;pwned by FA Haxor [!]&quot;.<p>It turns out that GitHub doesn&#x27;t require proof of ownership in order to set a custom domain. (Other services like Gitlab require proof via a TXT DNS record.) Worse yet, if I try to re-add my own domain to my repository, I&#x27;m shown the error: &quot;The CNAME iosref.com is already taken.&quot; And the support page only says: &quot;If you don&#x27;t own the repository that contains the CNAME file with your custom domain, try to contact the owner and ask them to update their custom domain.&quot;<p>There are 65 repositories owned by haxorlife with identical contents, which means that up to 65 domains are affected by this one user. I personally deleted my GitHub-related DNS records for my domain, and later moved my site to DigitalOcean. If you have an affected domain, I urge you to do the same. I contacted GitHub support four hours ago, but haven&#x27;t heard back yet.
======
chmaynard
> It turns out that GitHub doesn't require proof of ownership in order to set
> a custom domain.

This is a major blunder. GitHub management needs to close this loophole
immediately and delete this idiot's account.

------
Richienb
Report em [https://github.com/contact/report-
abuse?report=haxorlife+%28...](https://github.com/contact/report-
abuse?report=haxorlife+%28user%29)

~~~
eugeniub
I reported earlier today, and luckily, it appears that the user is gone now.

------
chelmzy
You can do this with a ton of other services as well. It's pretty common in
the bug bounty scene. I did it with MoviePass domains awhile back.

------
saghm
I set up a Github Pages site for the first time last month, and to set up a
custom domain, it had me add four A records pointing to IP addresses (all of
which were hardcoded in the GitHub pages documentation, i.e. not specific to
my repository) and add the domain I was using in the settings for the site's
repository. I remember wondering how Github stopped other people from just
putting arbitrary domains in their repositories to steal them if they ever got
pointed towards Github Pages; I guess I have my answer now!

------
talves
Good to Know Eugene. Thanks for the heads up.

After having to deal with a ton of issue requests, I am sure GitHub will see
the light and change this to a better requirement.

Also, have you heard of Netlify. They will Host it to their Global CDN for
free and they are fast as hell. Also can use private repositories on Github
also.

------
WaltPurvis
Side note: [https://iosref.com/](https://iosref.com/) is quite useful. Thanks!

------
jacob9706
Looks like he's no longer around.

------
kaletaa
What did you expect from MS, they made Windows updates which wiped your
fucking documents

~~~
aaomidi
How many people do you think joined GitHub from Microsoft after the merger?

This is literally human oversight.

