Replies: 4 comments 2 replies
-
I am now also affected by this. I would have never found out, if they wouldn't have registered my subdomain on Google Search Console, which notified me about this. |
Beta Was this translation helpful? Give feedback.
0 replies
-
Was affected by this recently too. Similarly, I found out because the offender registered the subdomain with Google Search Console. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Background
Hi all! There is currently a security risk with GitHub pages, if you use a wildcard DNS setting. Your domains are not entirely protected from takeovers. I'm referring to this warning found here:
My Request
Verifying domain verification should "lock" the apex domain and all levels of subdomains to your account to prevent subdomain takeovers, even if you are using a wildcard DNS record.
When someone assigns a custom domain to their GitHub pages repository, GitHub should perform a check to see if the apex domain is currently verified under anyone else's GitHub account. If it is verified by someone else, then it cannot be used for your pages domain.
As a more general case, if I own
example.com
but I only want to verifya.example.com
, that should protect my domain from all levels of subdomains under*.a.example.com
.On the other hand, the same security feature could be achieved if GitHub requires all domains/subdomains to be verified before using them in GitHub pages, however this could be annoying to many people.
Takeover Example
example.com
and verify it to my GitHub account,nicfv
.b.a.example.com
pointing tonicfv.github.io
.evil-user
sets up GitHub pages and assigns the CNAME in their repository tob.a.example.com
, and they can host what they want.b.a.example.com
or by setting the "custom domain" field in my pages repository, getting this error:evil-user
still has 1 week to host content using my subdomain. See How to claim a subdomain from a takeover? #69253 for details.Research
nicfv
Host GH Pages**a.example.com
nicfv.github.io
a.example.com
a.example.com
nicfv.github.io
a.example.com
other.github.io
a.example.com
a.example.com
other.github.io
*.example.com
nicfv.github.io
*.example.com
nicfv.github.io
b.a.example.com
can be taken over*.example.com
other.github.io
*.example.com
other.github.io
b.a.example.com
can be taken overb.a.example.com
nicfv.github.io
b.a.example.com
b.a.example.com
nicfv.github.io
b.a.example.com
b.a.example.com
other.github.io
b.a.example.com
b.a.example.com
other.github.io
b.a.example.com
*.a.example.com
nicfv.github.io
a.example.com
*.a.example.com
nicfv.github.io
a.example.com
*.a.example.com
other.github.io
a.example.com
*.a.example.com
other.github.io
a.example.com
* Assuming that only the apex domain
example.com
is verified tonicfv
** Assuming the subdomain is not already in use and has not been taken over.
The answers I've found [1], [2] don't explain the impact of verifying your domain on takeovers.
Results
<user>.github.io
but it doesn't seem to matter what string is in place of<user>
. I have not tested this for organizations.<any-string>.github.io
.example.com
. If you point it to GitHub's servers before verifying it, it is also prone to takeovers until the verification is complete.Beta Was this translation helpful? Give feedback.
All reactions