Subdomain takeover via Github Pages - *



3 years ago
2 months ago


(Reporter: griffin.francis.1993, Unassigned)


({sec-high, wsec-takeover})

Bug Flags:
sec-bounty +



(1 attachment)



3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36

Steps to reproduce:

This attack vector utilizes DNS-entries pointing to Service Providers where the pointed subdomain is currently not in use. Depending on the DNS-entry configuration and which Service Provider it points to, some of these services will allow unverified users to claim these subdomains as their own.

Check your DNS-configuration for subdomains pointing to services not in use.

Actual results:

I was able takeover the domain as there was an existing DNS record pointing to a Github record.

Expected results:

The DNS records should be removed if the subdomain is not within use.

Comment 1

3 years ago
Just to further add to this, it appears to affect all subdomains associated with * There is upwards of 50+ based on what I can see.


3 years ago
Summary: Subdomain takeover via Github Pages - → Subdomain takeover via Github Pages - *
Griffin: Could you please add more details regarding the 50+ subdomains affected?  Can you also add some details about how you went about performing a take over on one of the domains?  We're aware of similar type issues with Heroku (like mentioned in the article), but want to get as much clarity as possible to understand impact and be able to communicate that to the service owner(s).
I've removed the CNAME entries under pointing to I've attached a list of all DNS records which were deleted. The removals will not be visible immediately, it will take approximately 30 minutes for our DNS servers to stop answering these queries.

Comment 4

3 years ago
Hello, what Brian has done has fixed the issue at hand. I was able to claim as it was valid within Github pages. All I had to do was point it to the relevant domain as indicated here - and I would be able to claim it as mine. Please let me know if you would like any additional information.


3 years ago
Flags: sec-bounty?
Brian, is this correct? Has this issue been resolved?
Flags: needinfo?(bhourigan)
(In reply to Al Billings [:abillings] from comment #5)
> Brian, is this correct? Has this issue been resolved?

Yes, it has. I just double checked and can confirm the DNS entries listed in attachment 8745645 [details] have been removed. Additionally:

bhourigan@moderock ~/mozilla/dnsconfig » dig +short @
bhourigan@moderock ~/mozilla/dnsconfig »
Flags: needinfo?(bhourigan)
Last Resolved: 3 years ago
Flags: sec-bounty? → sec-bounty+
Resolution: --- → FIXED
Removing security flag on this, now public.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.