The github pages DNS takeover incident
This website, andreaschiavini.com, is hosted on GitHub Pages. The domain is registered on Namecheap, and the integration was done following instructions on this gist.
Last week, I received an email from Google saying that some users had been added as property owners of my Google Search Console property. This raised an eyebrow, and I checked my website. Instead of my website, it showed some sort of slot machine scam website.
The first thing I checked was my DNS settings. They were correct, and checking via dig apparently reported no issue:
1
2
3
4
5
6
7
8
9
10
11
12
➜ dig +noall +answer +nocmd andreaschiavini.com
andreaschiavini.com. 1800 IN A 185.199.108.153
andreaschiavini.com. 1799 IN A 185.199.109.153
andreaschiavini.com. 1799 IN A 185.199.110.153
andreaschiavini.com. 1799 IN A 185.199.111.153
➜ dig +noall +answer +nocmd www.andreaschiavini.com
www.andreaschiavini.com. 856 IN CNAME metalelf0.github.io.
metalelf0.github.io. 856 IN A 185.199.109.153
metalelf0.github.io. 856 IN A 185.199.111.153
metalelf0.github.io. 856 IN A 185.199.110.153
metalelf0.github.io. 856 IN A 185.199.108.153
After a quick check with the support folks from namecheap, which excluded any DNS issue, I switched to the github side.
My website is a static blog built using hugo jekyll and deployed via github actions. Considering I’m using a custom theme, I suspected something might have happened on the javascript side, e.g. some external javascript that was included by the theme and accidentally got hacked to perform a redirect. However, inspecting the site loading reported that the first call (the GET / call) was already returning the scam website, so before any javascript was loaded and executed.
Github actions also weren’t ran since the last deploy, that happened more than a month ago, so I excluded them from my analysis.
I needed to check if everything was right on the github pages side. I opened my github pages repository settings and checked for the custom domains section. My custom domain was not there anymore. This was kinda strange, I thought, cause I already added and validated it. I tried adding it back but I got an error:
The custom domain
andreaschiavini.comis already taken. If you are the owner of this domain, check out https://docs.github.com/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages for information about how to verify and release this domain.
When we register a custom domain for a Google Pages website, we are advised to verify the domain. This process involves adding a TXT record generated by GitHub to the DNS configuration. GitHub then checks the DNS information, and once it finds the expected TXT record, it confirms the domain as validated.
I did this the first time I set up the integration, but I carelessly removed the TXT record afterwards. This exposed my domain to be added by a malicious user and bound to another GitHub Pages website.
The important bit to notice here is how GitHub handles adding custom domains, which was not entirely clear to me:
- when you add a custom domain, GitHub just checks that the domain DNS records are set up correctly to point to the GitHub IPs (A records);
- when you validate a domain, GitHub checks for the presence of the TXT record and verifies its content.
So, after removing the TXT record by accident, all the attacker could do was add the domain to their GitHub repo, but they clearly couldn’t validate it (they would have needed access to my Namecheap account for that).
The solution at this point was pretty straightforward: I validated my domain from my GitHub profile settings, went through the procedure to add back the given TXT record, and once this was done successfully, I could add my custom domain to my GitHub Pages repository settings.