
Ask HN: Was GitHub Hacked or Me? - scottndecker
<a href="http:&#x2F;&#x2F;confidencetoexplore.com&#x2F;" rel="nofollow">http:&#x2F;&#x2F;confidencetoexplore.com&#x2F;</a><p>That&#x27;s my page.  My other github pages are working fine, but that one redirects to a crazy screen with a lighting strike gif, an email address, and something about &quot;muslim cybersecurity&quot;.<p>I changed the A records to put up a parking lot page and that worked, so I think it&#x27;s something around github.  As soon as I add the A records and CNAME records back to point to github, the hacked page goes back up.<p>How do I fix this?
======
otras
This came up recently in a different HN thread:
[https://news.ycombinator.com/item?id=19118740](https://news.ycombinator.com/item?id=19118740)

The main gist is that GitHub doesn't require proof of ownership in order to
set a custom domain.

This means that if your GitHub Pages configurations are incorrect for any
reason (for example, that user switched from a Pro to a regular account and
lost the ability to have a GH page on a private repo), another user can come
along and claim your page (confidencetoexplore.com) as the custom domain for
that repo.

My bet would be that this happened to you. As another user in that thread
mentioned, report them: [https://github.com/contact/report-
abuse](https://github.com/contact/report-abuse)

~~~
applecrazy
Yes. This is what I just discovered. OP here's the malicious github account,
so we can get it banned:

[https://github.com/OnyonCapitaly](https://github.com/OnyonCapitaly)

I found a repo with your domain:

[https://github.com/OnyonCapitaly/confidencetoexplore.com](https://github.com/OnyonCapitaly/confidencetoexplore.com)

edit: just reported them, but you should too OP.

~~~
ronsor
The script kiddie will just signup for another account and "hack" the same
sites again.

~~~
techntoke
Does GitLab have this issue? Don't they offer all this for free, unlike
GitHub?

~~~
therealmarv
GitLab requires you to put a txt record with a verification code in your
custom private domain DNS to verify ownership.

TL;DR no, GitLab does not have that issue.

~~~
gitlab-security
Confirming the previous poster's comment on GitLab Pages domain ownership
verification functionality, which was rolled out in February of 2018.
[https://about.gitlab.com/2018/02/05/gitlab-pages-custom-
doma...](https://about.gitlab.com/2018/02/05/gitlab-pages-custom-domain-
validation/)

------
scottndecker
UPDATE: Github responded with the following...

(GitHub Developer Support)

Apr 4, 2:52 AM UTC

Hi Scott,

Thanks for reaching out, and sorry for the trouble!

GitHub Pages doesn't currently have a verification process when configuring a
new custom domain. We chose this design due to its low friction, but
unfortunately it also means that any GitHub user can claim any custom domain,
so long as it isn't already in use on another repository.

When you downgraded your account to GitHub Free, GitHub Pages for your private
repository was disabled, and this released your custom domain for potential
use by other GitHub users. While the risk of another user accidentally
claiming your specific custom domain is low, we've experienced trouble lately
with opportunistic ne'er-do-wells strategically claiming custom domains they
find to be available.

Our engineering team is currently investigating potential improvements to
prevent this in future. In the meantime, we're taking the precaution of
performing manual verification in any cases such as yours. A quick way we can
verify your ownership of the domain would be for you to add a TXT record to
your domain's DNS configuration.

When you create the TXT record, please include the following value:...

and from there gave me a value to put in my DNS to verify ownership.

Not a great experience today but at least they responded and are working to
remedy the situation (which I still believe was a huge ball drop on their part
in terms of both communication and implementation).

~~~
cypherpunks01
I had this exact same problem too on March 26th and my first response was
poor, the rep said "I'm sorry to hear that your domain was taking [sic] over
by another user" and tried to get me to verify my own domain with them. I told
them that I was disappointed with the response and then another support rep
wrote a much more helpful and detailed reply:

"Sorry for the trouble you've had with this.

GitHub Pages doesn't currently have a way of linking ownership of a domain to
a GitHub account. When you point your domain's DNS records towards GitHub IPs
all we can tell on our side is that the domain can be attached to a Pages
site—but we can't tell which one, or which account it's owned by, until the
domain is linked in the repository settings page.

When you leave your domain pointing towards GitHub, but don't attach it to a
live Pages site, any other GitHub user can link your domain to a Pages site
without any further verification. All we can see from your domain are the
GitHub IPs listed in the DNS records, so we have no way of linking it to a
specific account.

As this domain is now attached to a Pages site, we have to consider that the
person currently using it is the legitimate owner, whether that be via a
domain ownership transfer, the domain has expired and someone else has
purchased it, or other means.

We use this setup to make it quick and easy to get started with GitHub Pages,
without having to perform even more complex DNS verification steps or waiting
for propagation time. We are aware that it can be abused however and are
looking at possible solutions, but we don't have anything to announce at this
time.

If you would like to use this domain with GitHub Pages again yourself then you
will need to follow the verification process. If you don't want to use this
domain with GitHub Pages then you can safely remove any DNS records that point
towards GitHub to stop the malicious site displaying at your domain. However
you may have to verify it with us again in future if you would like to use
GitHub Pages again.

Let us know if you have any further questions, or would like to continue
verifying your ownership of your domain with us."

------
fernandouhu
The same happened to me, I searched my CNAME on github and found that a user
was "hijacking" some CNAMEs, pointing these domains to his own repos. This
happened to me because I switched from PRO to Free and I didn't notice that
the Free plan does not allow us to have a private repository with Github
Pages. The end result in my case is that I migrated my blog to Netlify and
used Hugo to generate my HTML site from Markdown files. It was very
straightforward and I am satisfied with the end result.

~~~
applecrazy
That’s exactly how I found the CNAME takeover in the case of OP. I guess if
this happens to anyone, the first mitigation step would be to search all of
GitHub for that CNAME.

------
mdeeks
This reminds me of the awful Cloudfront vulnerability where any jerk can park
your domain names in Cloudfront with no verification. One day you'll put one
of your domains behind Cloudfront and suddenly they own your website.

Scenario:

1\. Today your DNS records look like this because you aren't using Cloudfront:

    
    
      site.com -- A --> 1.2.3.4
      www.site.com -- CNAME --> site.com
    

2\. Some jerk with an AWS account registers "www.site.com" in Cloudfront.

3\. Tomorrow you create a cloudfront distribution for site.com and change
site.com to a CNAME to "d12345abcdef.cloudfront.net". Instantly you're owned
on WWW.site.com because it indirectly points to Cloudfront and you forgot to
register that alias in AWS. Oh and guess what? The jerk can issue SSL certs
for your domain name through Lets Encrypt because all they need to do is put a
well-known file off your domain.

4\. You have a bug bounty program (right?!) and pay quick, big money out to
some researcher who is, thankfully, not a jerk.

Good times.

------
ChrisCinelli
The real problem here is that they do not notify people that on the Free plan,
you can have Pages on a public repo, or a private repo without Pages. But you
can’t have Pages on a private repo.

~~~
techntoke
With GitLab you can have a private repo for your Pages.

~~~
radicalriddler
That's nice.

------
ecabuk
I haven’t knew that Pro account is required to host static content for private
repos. It’s better move to gitlab because my student pro account going to end
soon.

------
JPLeRouzic
I am not an expert, but did you checked your domain authoritative DNS servers?

~~~
scottndecker
I've logged into my DNS provider and confirmed everything is set up the same
as my other github pages which are working fine. Is that what you're asking?

~~~
JPLeRouzic
I checked your's and it is the same as for Aditya, so it might be OK. Weird
stuff, I do not understand how it is possible.

host -t ns confidencetoexplore.com confidencetoexplore.com name server
dns1.registrar-servers.com. confidencetoexplore.com name server
dns2.registrar-servers.com.

~~~
applecrazy
It's a malicious takeover of a domain due to a process oversight from GH. They
should check if a person actually controls the domain before letting any GH
user host a GH pages site on that domain.

------
applecrazy
Nope. It seems to be just you. My website works
[https://adityar.me](https://adityar.me)

~~~
scottndecker
As stated, it's not all my sites hosted on github. Just that one. But it's
configured exactly the same as the others.

~~~
applecrazy
There's a weird meta tag on that page, Googling it leads to more "hacked"
pages:

<meta content="[http://www](http://www) ratiss org/ioport5.htm"
property="og:url"> (spaces added to prevent it from linking)

