Hacker News new | comments | ask | show | jobs | submit login
A GitHub user is taking over dozens of domains they don't own via GitHub Pages
70 points by eugeniub 9 days ago | hide | past | web | favorite | 11 comments
TL;DR — A user named haxorlife took over 65 domains today, by exploiting a security flaw in the custom domain configuration in GitHub Pages.

Earlier today, my GitHub Pro subscription expired. I let it expire, because a month ago, I decided to downgrade to the Free plan. I downgraded because a month ago, GitHub announced that Free plans would have unlimited private repositories. However, there was a detail I didn't catch. On the Free plan, you can have Pages on a public repo, or a private repo without Pages. But you can’t have Pages on a private repo. So what happened when my plan downgraded this morning? My GitHub Pages configurations got quietly deleted. No warning was given. My websites just disappeared. I only learned about it with an alert from Keybase.

In the time between my sites getting deleted, and my discovery, a GitHub user by the name of haxorlife created a repository at https://github.com/haxorlife/iosref.com, named after one of my affected domain names, iosref.com. And they configured iosref.com as the custom domain for that repo. So when I went to my website, I was suddenly faced with "pwned by FA Haxor [!]".

It turns out that GitHub doesn't require proof of ownership in order to set a custom domain. (Other services like Gitlab require proof via a TXT DNS record.) Worse yet, if I try to re-add my own domain to my repository, I'm shown the error: "The CNAME iosref.com is already taken." And the support page only says: "If you don't own the repository that contains the CNAME file with your custom domain, try to contact the owner and ask them to update their custom domain."

There are 65 repositories owned by haxorlife with identical contents, which means that up to 65 domains are affected by this one user. I personally deleted my GitHub-related DNS records for my domain, and later moved my site to DigitalOcean. If you have an affected domain, I urge you to do the same. I contacted GitHub support four hours ago, but haven't heard back yet.






> It turns out that GitHub doesn't require proof of ownership in order to set a custom domain.

This is a major blunder. GitHub management needs to close this loophole immediately and delete this idiot's account.



I reported earlier today, and luckily, it appears that the user is gone now.

[flagged]


You may have missed the part of my post where I said I reported the user to GitHub four hours before posting. I posted about it here because (1) I wanted to draw attention to this problem, which is affecting many developers this month because of all the users downgrading from Pro to Free, and (2) because I wanted to draw attention to this critical design flaw in GitHub Pages.

You can do this with a ton of other services as well. It's pretty common in the bug bounty scene. I did it with MoviePass domains awhile back.

I set up a Github Pages site for the first time last month, and to set up a custom domain, it had me add four A records pointing to IP addresses (all of which were hardcoded in the GitHub pages documentation, i.e. not specific to my repository) and add the domain I was using in the settings for the site's repository. I remember wondering how Github stopped other people from just putting arbitrary domains in their repositories to steal them if they ever got pointed towards Github Pages; I guess I have my answer now!

Good to Know Eugene. Thanks for the heads up.

After having to deal with a ton of issue requests, I am sure GitHub will see the light and change this to a better requirement.

Also, have you heard of Netlify. They will Host it to their Global CDN for free and they are fast as hell. Also can use private repositories on Github also.


Side note: https://iosref.com/ is quite useful. Thanks!

Looks like he's no longer around.

What did you expect from MS, they made Windows updates which wiped your fucking documents

How many people do you think joined GitHub from Microsoft after the merger?

This is literally human oversight.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: