22 comments

[ 3.1 ms ] story [ 54.6 ms ] thread
Took the article pointing out that the c and r were transposed for me to even notice there was a problem!
Fairly compelling attack vector because it took several readings for me to even see the problem with the domain.
Damn, this can pick a typo from a CI job and do mean things.
Reminder not to use goofy TLDs, being cute is not worth it when compared to security. There's no guarantees that the process for taking down a malicious domain will be as smooth as a .com.

I'd rather deal with US verisign rather than the British Indian Ocean territory or colombia or anguila

whois says it's registered by dynadot, so it's probably worth contacting their abuse email: abuse@dynadot.com
already happened :)
One reason why you should never think or say ghcr, but always github container register, even if that is longer. You should have enough time for not getting trapped.

Root cause a stupid FLA of course. For several months I thought it means Google whatever register.

One reason why you should never think or say [or write] FLA, but always Four Letter Acronym (probably?), even if that is longer.
Wouldn't DNSSEC solve stuff like this?
(comment deleted)
I don't get it what is ghrc and why does it matter
Honestly using something like haveibeensquatted would catch _so_ many of these, including ability to submit takedowns.
looks like it was either taken down or turned off. trying to run the same curl commands now just sits empty trying to access the IP

curl -i -v https://ghrc.io/v2/ * Trying 128.199.6.40:443...

No seems back again