Developer exposes GitHub Pages vulnerability allowing domain hijacking via wildcard DNS
The incident highlights a security gap where GitHub resolves any domain containing a CNAME file, regardless of whether the user controls the parent domain, prompting calls for stricter verification protocols.
Roland Meertens, a developer behind the immersivepoints.com domain, has identified a security vulnerability on GitHub Pages that allowed third parties to host scam subdomains under his control. The abuse was discovered after Meertens returned from travel in Africa with limited internet access and reviewed notifications from Google Search Console, which flagged a new owner for the subdomain kafka.immersivepoints.com.
The incident stemmed from Meertens’ use of a wildcard DNS record pointing to GitHub Pages servers. While this configuration is standard for hosting static websites and projects, it inadvertently allowed any GitHub user to claim a subdomain of his parent domain. Meertens noted that he had assumed only one user could 'own' a domain, but the platform’s logic resolves any domain as long as a corresponding CNAME file exists within a repository.
The malicious content was hosted from a private GitHub repository, which prevented Meertens from directly flagging the specific code for removal. He highlighted that this method of domain takeover is not novel, citing existing tools such as 'can-i-take-over-xyz' that are designed to identify domains available for such exploitation. The vulnerability relies on the assumption that domain ownership is exclusive to the registrant, a premise GitHub’s current implementation does not strictly enforce for subdomains.
Meertens expressed concern that the scam sites, which he suspects were slot machine scams, could have misled users, although he noted that poor indexing by Google likely limited their reach. He emphasised that he only became aware of the issue through Google Search Console alerts, which he had set up recently. Without these notifications, the abuse might have remained undetected for an unknown duration.
In response to the breach, Meertens has reported the pages to GitHub and is awaiting a response regarding potential account bans for the perpetrators. He also discovered that GitHub offers a domain verification feature via TXT records for user sites, a mechanism he had not previously utilised. He suggests that GitHub could implement warnings in repository settings if a domain is not verified or if DNS configuration appears incorrect to prevent future instances of this security flaw.
