Hijacking domain using Github pages

Image for post
Image for post

Most developers know and love github pages. In case you haven’t ever tried, this service gives you an option to create a static site from your repository, which will be available on the smth.github.io domain. This is incredibly convenient for all temporary static files, documentation, simple small sites and so on. No need to think about any additional web server.

Also, there is an option to bind your domain to the repository, and then everything will become quite handsome. Even SSL support is available.

After this small introduction, let’s move on to the actual topic of the article. Not long ago (November 9th) I had an interesting experience. I recommend not to read the story in one go, but to stop periodically and think about the situation so far. I think it can become an interesting training session, although the plot of my detective story turned out to be not too twisted.

So, I decided to add the link to my CV to one of the profiles. The CV is published github pages, because… why not? Out of habit, I clicked on the link to check whether everything worked… And all of a sudden a strange thing appeared:

Image for post
Image for post

Being surprised, I went to the repository settings. I saw that at the moment it was not set up to my domain. I tried to set it, suddenly receiving the error

The CNAME` whois.jehy.ru` is already taken. Check out https://help.github.com/articles/troubleshooting-custom-domains/#cname-already-taken for more information.

That was when I started getting a little tense. After that I took a closer look at this strange page. Same as before, I only saw a standard template, copyright from 2013, and a sudden link to the sitemap. The sitemap contained the date of its generation from the current date (at the moment the date is still the same, November 9), as well as a static html-document with the name and content, reminiscent of the google validation method. That was when I got really tense, so I went to change the NS record to my server and started thinking it over, trying to figure out what went wrong.

Initial googling showed that:

  • Domain hijacking is a potentially known problem, and it has already been solved, it is enough to register the address of your repository in CNAME record: https://stackoverflow.com/questions/22829938/github-pages-with-custom-cname-security. Also, setting up your repo address in CNAME is an officially recommended method from documentation.

Then I thought that, probably, I had a wrong CNAME record. So I changed it to the correct one, with reference to my repository:

Image for post
Image for post

And to my amazement I saw this wonderful “Coming Soon” landing again!

To test it, I even made another test :

  1. I created a new NS record test.jehy.ru and assigned the profile of Ryan Dahl (ry.github.io.) in CNAME.

The result is obvious: https://test.jehy.ru/

Next, I contacted tech github support via a strange form on https://github.com/contact. They told me that they could unbind the other repository from my domain if I added another NS record for myself. I did this, but upon reporting back on it from Friday to Monday I haven’t received a reply. Perhaps it was necessary to re-write it in their form, but this is just beyond me. So I just left my static site on my server.

I could think of three reasons for what has happened:

  • Someone accidentally registered the address of “whois.jehy.ru” in his repository in 2018, while laying out a landing page with “Coming soon” from 2013, where for some reason lies the html for checking the google ownership. Well, hardly ever.

Next, I remembered that in the case of a domain binding, github itself makes a file named CNAME in your repository. There I went to look for someone, who added my domain. And — bingo!

Image for post
Image for post
Hacker detected!
Image for post
Image for post
My domain here
Image for post
Image for post
And many others!

As you can see, it was not an accident at all. Someone has stolen a decent amount of domains, including the second level ones! And he got full control over their content, confirming the ownership of these domains with Google!

By the way, it should be also mentioned that sometimes a hacker does not just replace the site content, but forks the source repository, and adds verification files afterwards. And he has been having fun this way for at least a month already (I’ve found commits from October 6). His “followers” are same. They even shamelessly fork those repos…

Further, you can find my assumptions about how this attack occurs, and what hacker can do afterwards.

  1. First, the hacker finds sites that are resolved to github.io IPs. It’s pretty easy to do.

What I did next, having all the evidence of the malicious use of the binding in my hands:

  • I described the details in my email to support@github.com;

I got no reply from the contact form, but two days later I got a reply from hackerone. In short, they told me that this is a well-known feature of the service, it is not a vulnerability, and the spam team deals with such things. The report was closed as “informative”, so I can write about it with a clear conscience. I was also informed that the account I had reported about was banned. I checked it, and yes, it is gone. Several days later, “followers” were also gone.

Here one could stop and say that everything is all right … But in fact, I am extremely embarrassed by this situation.

  • Why do these accounts not get revealed for months? There is identical content, there are google validation files everywhere, a bunch of such sites on one account… Common signs are multiple.

But the main question that confuses me is why the github does not check the NS records of the domains that are listed on the github pages for the presence of the specific repository of the CNAME in them? This is the simplest operation that can be performed while binding a domain, and it does not take much time… Moreover, the instructions give the impression that it was meant to be so… So why is this validation broken?

In general, I am writing this post with the hope that it will reach github one way or another, and the guys will take action. And before you ask, “why talk about it, everyone is going to do it now,” I will answer that this flaw is already well known and is being actively exploited. And as now the constant scanning of the “abandoned” domains is obviously going on, several new participants will not make a big difference.

I don’t usually do this, but it would be great if you clapped to this article to help it get some attention. It is really important to care about safety in internet.

What can I say in the end? Perhaps, that you should always mind this case when you place something on third-party capacities. Of course, there is nothing personal on the Internet at all — “your” domains belong to the registrar, “your” servers belong to Google, Amazon, or someone else… And you can’t say that github is less reliable than “your” personal server… But you always need to remember about your resources, their importance and potential losses in case of their interception — especially when you use third party services which may behave unexpectedly.

P.S. This is a translation of my article in Russian, original article is posted here: https://habr.com/post/429972/

Written by

Russian developer, teacher, tech lead.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store