GitHub Pages Domain Hijacking

[estahn]

Let me pre-empt that I have no wildcard configuration on my domain and have been using it with my repository for years. About 25ish days ago my domain enricostahn.com was somehow hijacked and pointed to another repository. The DNS is still showing to GitHub pages, but it does not resolve to https://github.com/estahn/enricostahn.com but instead to https://github.com/enricostahn/enrico – which is the hijackers created repository. The repository contains a website with a redirect to apac.arizona.edu, which appears to promote gambling.

Now, I have already taken action:

• I contacted Pantheon, which is hosting the website on apac.arizona.edu, which locked it down for the time being.
• I contacted arizona.edu, which is investigating the case.
• I contacted GitHub Support about 5 days ago without having received a response ([GitHub Support] Confirmation - Request Received (#1732585))
• I verified my domain via TXT record, but this doesn't seem to release it if someone else claimed it. Although this the suggested resolution:

My questions:

• How was it possible to claim the domain?
• How long does it take for GitHub support to release a verified domain?

[jdevfullstack]

Verifying your domain stops other GitHub users from taking over your custom domain and using it to publish their own GitHub Pages site. Domain takeovers can happen when you delete your repository, when your billing plan is downgraded, or after any other change which unlinks the custom domain or disables GitHub Pages while the domain remains configured for GitHub Pages and is not verified.

https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages

[estahn]

@jdevstatic Thanks, I have verified my domain after realising it has been hijacked. Given I have touched my blog and the related repo in a year or more it is still unclear to me how this was executed. Also, verifying the domain does not automatically unlink it from the repository of the hijacker – which I expected. I assume there are internal audit logs that could clarify this further.

[jdevfullstack]

yup hopefully a Staff will see this,

[crpietschmann]

I have just had this happen, and it appears there is no way to report it to GitHub. I have verified my domain in my profile, but it still is allowing the other account to hijack my domain. WTF!? The docs do say, "If you are verifying a domain you own, which is currently in use by another user or organization, to make it available for your GitHub Pages website; note that the process to release the domain from its current location will take 7 days to complete." So I guess I just need to wait? :/

[RobThree]

I had this happen to me today. Scared the sh*t out of me when I got an email from google saying:

Google has identified that ratnaputri198722@gmail.com has been added as an owner of http://ftp.somesite.foo/.

After a little investigation it was simple. My hoster creates a few default records (like ftp, www, mail) etc. The ftp was a CNAME to the main domain somesite.foo. I had github pages set up for somesite.foo and never paid any attention to the ftp record. But that allowed the 'hijacker' to create a GitHub page for ftp.somesite.foo and then, apparently, they verified the site with the Google Search Console-thingy using either html tag or html page upload verification. They can/could do this because they had full control over their repository.

First thing I did, immediately after receiving the mail, was delete the ftp and other useless records. Followed by an hour of frantic audit log searching (ofcourse nothing to be found), killing all my google sessions (I feared someone may have gotten access to one of my session access tokens), etc. etc. and a lot of head-scratching. Until I figured out what must've happened. I'd like to claim that I was smart enough to figure it out on my own, but this was already a thing in 2018 and maybe even earlier so I wasn't the first by far (but still did it on my own 😛 ). Eventually I found this page and then this post and immediately set up the domain verification for all domains I use GitHub pages for.

In my defense, most of these domains are pretty much as old as GitHub pages is, so not sure if domain verification was a thing back then.

Anyway: verify your domains people!!

What I would like: A way to find out what repository contains / contained my "hacked" ftp.somesite.foo domain so I can report the account.

Edit: I found the "hijacker"

[davorg]

I would love to know how you found the hijacker. I would like to track down someone who has done the same thing with one of my sites.

[brunosan]

Exactly same happened to me. In my case I had a "*" domain setup, so any domain would have worked. Removed that registry, and it was solved.

[thagxt]

I recently had a similar issue. I was checking my DNS records and found that an ‘assets.*’ subdomain I created a year ago but never used was redirecting to an Indonesian gambling website! This subdomain was linked to a GitHub repo, and GitHub Pages had been set up using CNAME records, which is what GitHub recommends. I then removed the DNS record from my registrar, and the problem was solved. It’s crazy to me that something like this is possible! To me, that’s a huge security risk! I’m currently moving my GitHub pages to Cloudflare pages.

[RobThree]

It’s crazy to me that something like this is possible! To me, that’s a huge security risk!

Uh, well, yeah, but it's a security risk you created yourself by creating record pointing at GitHub. This is not Github's fault and the very same thing can happen with Cloudflare or whatever.

[RobThree]

I simply googled "http://ftp.somesite.foo/", quotes included. I was lucky there were only a handful of hits at most.

[viccaruso]

This just happened to me. Got an email saying an owner was added to my Google Search Console about an hour ago, but when I visit my dashboard and view the owners I am the only person listed. My domain is registered through Squarespace Domains and originally pointed to a site I hosted through GitHub Pages. I deleted all records on Squarespace Domains and then verified my domain in the settings for GitHub Pages. I guess downgrading from a Pro account to a Standard account deleted my previous verification? Anyways it seems to have done the trick and the scam site is gone.