@koenrh reported that an attacker could register arbitrary subdomains of github.io and githubusercontent.com via our content delivery network (CDN). This could be used to serve malicious content from these domains or steal another user’s GitHub Pages domain.
In working with our CDN, we learned that they were treating any domain on the Public Suffix List as a “service provider.” They quickly responded to our request and removed GitHub domains from their list of service providers. We have verified that subdomains of GitHub domains can no longer be registered with our CDN.
@koenrh reported that the index on one of our S3 buckets was world-readable. An attacker could have used this to download internal GitHub infrastructure graphs. The information exposed was limited and introduced minimal risk to GitHub. We addressed this issue by updating the configuration for this S3 bucket.