Feature Request: Domain verification prevents takeovers

[nicfv]

Background

Hi all! There is currently a security risk with GitHub pages, if you use a wildcard DNS setting. Your domains are not entirely protected from takeovers. I'm referring to this warning found here:

Warning: We strongly recommend that you do not use wildcard DNS records, such as *.example.com. These records put you at an immediate risk of domain takeovers, even if you verify the domain. For example, if you verify example.com this prevents someone from using a.example.com but they could still take over b.a.example.com (which is covered by the wildcard DNS record). For more information, see "Verifying your custom domain for GitHub Pages."

My Request

Verifying domain verification should "lock" the apex domain and all levels of subdomains to your account to prevent subdomain takeovers, even if you are using a wildcard DNS record.

When someone assigns a custom domain to their GitHub pages repository, GitHub should perform a check to see if the apex domain is currently verified under anyone else's GitHub account. If it is verified by someone else, then it cannot be used for your pages domain.

As a more general case, if I own example.com but I only want to verify a.example.com, that should protect my domain from all levels of subdomains under *.a.example.com.

On the other hand, the same security feature could be achieved if GitHub requires all domains/subdomains to be verified before using them in GitHub pages, however this could be annoying to many people.

Takeover Example

1. Assume I own example.com and verify it to my GitHub account, nicfv.
2. I create a CNAME record at b.a.example.com pointing to nicfv.github.io.
3. Moments later, GitHub account evil-user sets up GitHub pages and assigns the CNAME in their repository to b.a.example.com, and they can host what they want.
4. I discover that my domain is taken over either by visiting b.a.example.com or by setting the "custom domain" field in my pages repository, getting this error:

   The custom domain b.a.example.com is already taken. If you are the owner of this domain, check out https://docs.github.com/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages for information about how to verify and release this domain.

5. After verifying my domain, evil-user still has 1 week to host content using my subdomain. See How to claim a subdomain from a takeover? #69253 for details.

Research

CNAME name	CNAME value	Verified*	Can nicfv Host GH Pages**	Prone to Takeovers
a.example.com	nicfv.github.io	No	Yes	Yes, only for a.example.com
a.example.com	nicfv.github.io	Yes	Yes	No
a.example.com	other.github.io	No	Yes	Yes, only for a.example.com
a.example.com	other.github.io	Yes	Yes	No
*.example.com	nicfv.github.io	No	Yes	Yes, any subdomain, and any level of subdomain
*.example.com	nicfv.github.io	Yes	Yes	First-level subdomains cannot be taken over, but b.a.example.com can be taken over
*.example.com	other.github.io	No	Yes	Yes, any subdomain, and any level of subdomain
*.example.com	other.github.io	Yes	Yes	First-level subdomains cannot be taken over, but b.a.example.com can be taken over
b.a.example.com	nicfv.github.io	No	Yes	Yes, only for b.a.example.com
b.a.example.com	nicfv.github.io	Yes	Yes	Yes, only for b.a.example.com
b.a.example.com	other.github.io	No	Yes	Yes, only for b.a.example.com
b.a.example.com	other.github.io	Yes	Yes	Yes, only for b.a.example.com
*.a.example.com	nicfv.github.io	No	Yes	Yes, any domain/subdomain under a.example.com
*.a.example.com	nicfv.github.io	Yes	Yes	Yes, any domain/subdomain under a.example.com
*.a.example.com	other.github.io	No	Yes	Yes, any domain/subdomain under a.example.com
*.a.example.com	other.github.io	Yes	Yes	Yes, any domain/subdomain under a.example.com

* Assuming that only the apex domain example.com is verified to nicfv

** Assuming the subdomain is not already in use and has not been taken over.

The answers I've found [1], [2] don't explain the impact of verifying your domain on takeovers.

Results

• GitHub makes a point to point the CNAME record to <user>.github.io but it doesn't seem to matter what string is in place of <user>. I have not tested this for organizations.
• The only surefire way to avoid a takeover is by verifying the exact domain/subdomain to your account first and then point the CNAME record of that exact domain/subdomain to <any-string>.github.io.
• ⚠️ I have not tested this ⚠️ This extends to the apex domain as well, example.com. If you point it to GitHub's servers before verifying it, it is also prone to takeovers until the verification is complete.
• If your domain/subdomain is affected by a takeover, you must verify it (which can take up to 24 hours) and GitHub gives the offender a 7 day grace period. That means they can host content on it for up to 8 days plus the "realization time."
• As things are right now, wildcard CNAME records virtually offer no protection at all from takeovers.
• How to claim a subdomain that was taken over: How to claim a subdomain from a takeover? #69253

[nicfv]

Bump

[iglvzx]

I just got hit by this. I had an old wildcard record pointing to my apex domain that I completely forgot about. Imagine my surprise when I get a Google alert for <subdomain>.<myDomain> also hosted on GitHub pages.

[nicfv]

@iglvzx thank you for sharing! This seems like a major security flaw.

[MrDanielHarka]

I am now also affected by this. I would have never found out, if they wouldn't have registered my subdomain on Google Search Console, which notified me about this.

[obvionaoe]

Bump

[Riley-]

Was affected by this recently too. Similarly, I found out because the offender registered the subdomain with Google Search Console.