@koenrh reported that an attacker could register arbitrary subdomains of github.io and githubusercontent.com via our content delivery network (CDN). This could be used to serve malicious content from these domains or steal another user’s GitHub Pages domain.

In working with our CDN, we learned that they were treating any domain on the Public Suffix List as a “service provider.” They quickly responded to our request and removed GitHub domains from their list of service providers. We have verified that subdomains of GitHub domains can no longer be registered with our CDN.