Ask HN: Was GitHub Hacked or Me?
http://confidencetoexplore.com/
That's my page. My other github pages are working fine, but that one redirects to a crazy screen with a lighting strike gif, an email address, and something about "muslim cybersecurity".
I changed the A records to put up a parking lot page and that worked, so I think it's something around github. As soon as I add the A records and CNAME records back to point to github, the hacked page goes back up.
How do I fix this?
43 comments
[ 3.4 ms ] story [ 100 ms ] thread<meta content="http://www ratiss org/ioport5.htm" property="og:url"> (spaces added to prevent it from linking)
host -t ns confidencetoexplore.com confidencetoexplore.com name server dns1.registrar-servers.com. confidencetoexplore.com name server dns2.registrar-servers.com.
The main gist is that GitHub doesn't require proof of ownership in order to set a custom domain.
This means that if your GitHub Pages configurations are incorrect for any reason (for example, that user switched from a Pro to a regular account and lost the ability to have a GH page on a private repo), another user can come along and claim your page (confidencetoexplore.com) as the custom domain for that repo.
My bet would be that this happened to you. As another user in that thread mentioned, report them: https://github.com/contact/report-abuse
https://github.com/OnyonCapitaly
I found a repo with your domain:
https://github.com/OnyonCapitaly/confidencetoexplore.com
edit: just reported them, but you should too OP.
TL;DR no, GitLab does not have that issue.
Hope this helped, OP
Shouldn't they, I don't know, do something beyond banning accounts caught exploiting this?
Quick response from GitHub after raising a report and got my CNAME back after going through the domain ownership verification with them.
(GitHub Developer Support)
Apr 4, 2:52 AM UTC
Hi Scott,
Thanks for reaching out, and sorry for the trouble!
GitHub Pages doesn't currently have a verification process when configuring a new custom domain. We chose this design due to its low friction, but unfortunately it also means that any GitHub user can claim any custom domain, so long as it isn't already in use on another repository.
When you downgraded your account to GitHub Free, GitHub Pages for your private repository was disabled, and this released your custom domain for potential use by other GitHub users. While the risk of another user accidentally claiming your specific custom domain is low, we've experienced trouble lately with opportunistic ne'er-do-wells strategically claiming custom domains they find to be available.
Our engineering team is currently investigating potential improvements to prevent this in future. In the meantime, we're taking the precaution of performing manual verification in any cases such as yours. A quick way we can verify your ownership of the domain would be for you to add a TXT record to your domain's DNS configuration.
When you create the TXT record, please include the following value:...
and from there gave me a value to put in my DNS to verify ownership.
Not a great experience today but at least they responded and are working to remedy the situation (which I still believe was a huge ball drop on their part in terms of both communication and implementation).
"Sorry for the trouble you've had with this.
GitHub Pages doesn't currently have a way of linking ownership of a domain to a GitHub account. When you point your domain's DNS records towards GitHub IPs all we can tell on our side is that the domain can be attached to a Pages site—but we can't tell which one, or which account it's owned by, until the domain is linked in the repository settings page.
When you leave your domain pointing towards GitHub, but don't attach it to a live Pages site, any other GitHub user can link your domain to a Pages site without any further verification. All we can see from your domain are the GitHub IPs listed in the DNS records, so we have no way of linking it to a specific account.
As this domain is now attached to a Pages site, we have to consider that the person currently using it is the legitimate owner, whether that be via a domain ownership transfer, the domain has expired and someone else has purchased it, or other means.
We use this setup to make it quick and easy to get started with GitHub Pages, without having to perform even more complex DNS verification steps or waiting for propagation time. We are aware that it can be abused however and are looking at possible solutions, but we don't have anything to announce at this time.
If you would like to use this domain with GitHub Pages again yourself then you will need to follow the verification process. If you don't want to use this domain with GitHub Pages then you can safely remove any DNS records that point towards GitHub to stop the malicious site displaying at your domain. However you may have to verify it with us again in future if you would like to use GitHub Pages again.
Let us know if you have any further questions, or would like to continue verifying your ownership of your domain with us."
Scenario:
1. Today your DNS records look like this because you aren't using Cloudfront:
2. Some jerk with an AWS account registers "www.site.com" in Cloudfront.3. Tomorrow you create a cloudfront distribution for site.com and change site.com to a CNAME to "d12345abcdef.cloudfront.net". Instantly you're owned on WWW.site.com because it indirectly points to Cloudfront and you forgot to register that alias in AWS. Oh and guess what? The jerk can issue SSL certs for your domain name through Lets Encrypt because all they need to do is put a well-known file off your domain.
4. You have a bug bounty program (right?!) and pay quick, big money out to some researcher who is, thankfully, not a jerk.
Good times.