My domain got abused on GitHub Pages(meertens.dev)

49 pointsby rmeertens5 hours ago9 comments

Gigachad4 hours ago
Seems like GitHub could solve this by making users verify they own a domain name by adding a value to a txt record rather than just seeing the domain points to github and letting any repo use it.
- rcfox4 hours ago
  You actually can do that. https://github.com/settings/pages
  - gavinsyancey4 hours ago
    Thank you; just did that for my domain I use with GH Pages. They should really mention that in the setup instructions.
- darkteflon4 hours ago
  I’ve set up two static pages with custom domains using GH Pages in the past couple of months, and both times I had to go digging in the docs before I found the verification page as part of trying to figure out why https wasn’t working. Fucking inexplicably poor UX design from GH. If I add a custom domain, just ask me to verify it.
- rockbruno4 hours ago
  You can do it, iirc they even stress doing so in the docs for GitHub Pages if you don't want your domain to be stolen
ardeaveran hour ago
Something similar once happened to me with an old domain with nameservers I had pointed to DigitalOcean from my registrar.
Managing DNS through DigitalOcean (although, this should be possible with any DNS service) requires both pointing the nameservers to that service and adding the domain to your account. If you delete the domain from your account, like I had, but forget to update the nameservers with your registrar, anyone else can claim the domain. Theoretically, if you redirect the nameservers first and then add the domain to your account, someone could swipe it from you, I guess. Though it would basically have to be pure luck.
Why is it always slot machines though?
usagisushi3 hours ago
Practically, it's not limited to GitHub Pages, though.
By the way, even while a custom domain is still pending verification, the GitHub Pages LB will route the request based on the Host header, allowing for the following:
```
    dig +short github.io | head -1
    185.199.108.153

    curl -H "Host: 42.news.ycombinator.com" 185.199.109.153
    hello
```
Another fun trick: You can also use wildcard DNS services like nip.io/sslip.io for alias domains, such as `my-page.185.199.108.153.sslip.io`. (Not sure of any practical use cases, though.)
est3 hours ago
Your DNS config 5-7 rows are the culprit.
Don't point a wildcard domain to Github. It's a wildcard and dangerous.
- rmeertens3 hours ago
  Yep! Fixed it already!
CodesInChaos3 hours ago
Why is securely setting up custom domains for github pages so error prone? The `<user>.github.io` CNAME record already contains the username. So why can another user steal it?
edit: apparently CNAME can't be used for TLD+1, only for subdomains, so you have to use a more error prone approach for those.
tamimio4 hours ago
>how long it’s been abused?
I would say probably 10 years, I remember reading about the CNAME github issue around 2015 or so, as before that most used to use jekyll with gh pages, was very popular among indie developers
halapro4 hours ago
You told your NS to forward any request to GitHub, a platform you don't own.
I think this is the expected outcome.
It's good you noticed and shared your findings, but to me this "works as intended"
- tomhow4 hours ago
  Please don’t scold people on HN. That’s not the style of discussion we’re trying for here.
  https://news.ycombinator.com/newsguidelines.html
- rmeertens3 hours ago
  I wrote it down and posted it for others to learn, and to see if Github can make it harder for scammers to abuse the mistakes of others!
iqfareez4 hours ago
[dead]
pigbearpig4 hours ago
You wildcarded any traffic to github.com and thought, "eh, they probably check" and are wondering who is at fault? It's you.
You didn't think through the consequences, and you could learn a bit more about DNS.
- rmeertens3 hours ago
  > are wondering who is at fault? It's you I know, that's why I wrote it down.
  I did not expect that Github facilitates other accounts creating scam pages under the domain I own...