Most developers know and love github pages. In case you haven’t ever tried, this service gives you an option to create a static site from your repository, which will be available on the smth.github.io domain. This is incredibly convenient for all temporary static files, documentation, simple small sites and so on. No need to think about any additional web server.
Also, there is an option to bind your domain to the repository, and then everything will become quite handsome. Even SSL support is available.
After this small introduction, let’s move on to the actual topic of the article. Not long ago (November 9th) I had an interesting experience. I recommend not to read the story in one go, but to stop periodically and think about the situation so far. I think it can become an interesting training session, although the plot of my detective story turned out to be not too twisted.
So, I decided to add the link to my CV to one of the profiles. The CV is published github pages, because… why not? Out of habit, I clicked on the link to check whether everything worked… And all of a sudden a strange thing appeared:
Being surprised, I went to the repository settings. I saw that at the moment it was not set up to my domain. I tried to set it, suddenly receiving the error
The CNAME` whois.jehy.ru` is already taken. Check out https://help.github.com/articles/troubleshooting-custom-domains/#cname-already-taken for more information.
That was when I started getting a little tense. After that I took a closer look at this strange page. Same as before, I only saw a standard template, copyright from 2013, and a sudden link to the sitemap. The sitemap contained the date of its generation from the current date (at the moment the date is still the same, November 9), as well as a static html-document with the name and content, reminiscent of the google validation method. That was when I got really tense, so I went to change the NS record to my server and started thinking it over, trying to figure out what went wrong.
Initial googling showed that:
- Domain hijacking is a potentially known problem, and it has already been solved, it is enough to register the address of your repository in CNAME record: https://stackoverflow.com/questions/22829938/github-pages-with-custom-cname-security. Also, setting up your repo address in CNAME is an officially recommended method from documentation.
- There are different instructions for binding a github repo to a domain (besides the official one), and many of them (including those from the top 10 google results) assign IP addresses directly, or simply set up github.io.
Then I thought that, probably, I had a wrong CNAME record. So I changed it to the correct one, with reference to my repository:
And to my amazement I saw this wonderful “Coming Soon” landing again!
To test it, I even made another test :
- I created a new NS record test.jehy.ru and assigned the profile of Ryan Dahl (ry.github.io.) in CNAME.
- I created the repository https://github.com/jehy/test- attack, setting it up for it a custom domain test.jehy.ru.
The result is obvious: https://test.jehy.ru/
Next, I contacted tech github support via a strange form on https://github.com/contact. They told me that they could unbind the other repository from my domain if I added another NS record for myself. I did this, but upon reporting back on it from Friday to Monday I haven’t received a reply. Perhaps it was necessary to re-write it in their form, but this is just beyond me. So I just left my static site on my server.
I could think of three reasons for what has happened:
- Someone accidentally registered the address of “whois.jehy.ru” in his repository in 2018, while laying out a landing page with “Coming soon” from 2013, where for some reason lies the html for checking the google ownership. Well, hardly ever.
- Some crazy bug has turned up. Also unlikely. The situation repeated itself on the second test site.
- The trick with setting up a CNAME has either never worked, or has broken down, and the hijackers use it to attack sites. So far it seems the most likely option to me.
Next, I remembered that in the case of a domain binding, github itself makes a file named CNAME in your repository. There I went to look for someone, who added my domain. And — bingo!
As you can see, it was not an accident at all. Someone has stolen a decent amount of domains, including the second level ones! And he got full control over their content, confirming the ownership of these domains with Google!
By the way, it should be also mentioned that sometimes a hacker does not just replace the site content, but forks the source repository, and adds verification files afterwards. And he has been having fun this way for at least a month already (I’ve found commits from October 6). His “followers” are same. They even shamelessly fork those repos…
Further, you can find my assumptions about how this attack occurs, and what hacker can do afterwards.
- First, the hacker finds sites that are resolved to github.io IPs. It’s pretty easy to do.
- Next, he filters them, leaving only those that return an error (it seems there is just 404). There can be many cases when repos are not set up: someone had a misplaced repository, someone deleted it, someone had the binding settings accidentially removed (it seems that this happened to me when I changed the branch for github pages).
- Then the hacker simply creates a new repository with the content he needs and binds it to the “free” domain. Voila!
- Then it all depends on the hacker’s fantasy. Doorway, linking, data interception, Google access to Google Apps management… There are many options.
What I did next, having all the evidence of the malicious use of the binding in my hands:
- I described the details in my email to email@example.com;
- Once again, I wrote them a letter in the contact form;
- I added a ticket on hackerone.com. I have to admit, that it says there that githubpages.io is excluded from the scope of bug bounty program, but there were no other options. So I had to ignore both this warning, and a robot that gently advised me not to send this report for the same reason.
I got no reply from the contact form, but two days later I got a reply from hackerone. In short, they told me that this is a well-known feature of the service, it is not a vulnerability, and the spam team deals with such things. The report was closed as “informative”, so I can write about it with a clear conscience. I was also informed that the account I had reported about was banned. I checked it, and yes, it is gone. Several days later, “followers” were also gone.
Here one could stop and say that everything is all right … But in fact, I am extremely embarrassed by this situation.
- Why do these accounts not get revealed for months? There is identical content, there are google validation files everywhere, a bunch of such sites on one account… Common signs are multiple.
- Why didn’t the spam team check related repositories?
- Why domain binding instructions offer you to set up the name of your repository in CNAME if it doesn’t affect anything, giving you a security illusion?
- Why is there no warning mechanism that would say that the domain that was previously linked to your account is now linked to another?
- Why did not I receive any replies from email or support form?
But the main question that confuses me is why the github does not check the NS records of the domains that are listed on the github pages for the presence of the specific repository of the CNAME in them? This is the simplest operation that can be performed while binding a domain, and it does not take much time… Moreover, the instructions give the impression that it was meant to be so… So why is this validation broken?
In general, I am writing this post with the hope that it will reach github one way or another, and the guys will take action. And before you ask, “why talk about it, everyone is going to do it now,” I will answer that this flaw is already well known and is being actively exploited. And as now the constant scanning of the “abandoned” domains is obviously going on, several new participants will not make a big difference.
I don’t usually do this, but it would be great if you clapped to this article to help it get some attention. It is really important to care about safety in internet.
What can I say in the end? Perhaps, that you should always mind this case when you place something on third-party capacities. Of course, there is nothing personal on the Internet at all — “your” domains belong to the registrar, “your” servers belong to Google, Amazon, or someone else… And you can’t say that github is less reliable than “your” personal server… But you always need to remember about your resources, their importance and potential losses in case of their interception — especially when you use third party services which may behave unexpectedly.
P.S. This is a translation of my article in Russian, original article is posted here: https://habr.com/post/429972/