A developer discovered a security vulnerability in GitHub Pages where any user could claim subdomains of domains already hosted on the platform, potentially enabling phishing attacks. The issue arose because GitHub would serve content from any repository that claimed a subdomain via CNAME, without proper domain ownership verification. This could allow malicious actors to create seemingly legitimate subdomains for phishing or other attacks.
Background
GitHub Pages is a popular static site hosting service that allows users to host websites directly from their GitHub repositories. It's commonly used for project documentation, personal blogs, and portfolio sites, with custom domain support being a key feature.
- Source
- Lobsters
- Published
- May 19, 2026 at 08:29 PM
- Score
- 7.0 / 10