The monstrosity that is “co.ws” should teach everyone to properly set up their GitHub Pages websites

Francesco
6 min readApr 7, 2023

--

“co.ws: the domain name everyone has the keys to (and why)”

It all started when I was wondering if Tucows had registered and was using any domain hacks. Very normal 3 AM thoughts. Anyway, I go to check if “tuco.ws” is registered. Nope, it’s on sale on Escrow.com for…

Escrow.com payment confirmation screen for the domain “tuco.ws”, which is being sold for £9,900.
this person’s really trying to get £9,900 ($12,296.79) out of tucows

Yikes. Well, at least the seller is the one paying the Escrow.com fee… yay?

Anyway, after that I went to check if “co.ws” was an official second-level domain, to see if they had registered “tu.co.ws”. But I visit “co.ws”, and it turns out it’s not an official second-level domain, but rather, a…

A browser window on the website “co.ws”, which reads: “URL shortener”.
that’s literally the whole page

Very mysterious indeed. I was kind of curious on what URLs they were shortening though, so I searched up “site:co.ws” on Google, and oh boy…

Google results for “site:co.ws”.
what are these horse shit results

Script kiddie “uhhhhh i hacked your domain lol” type pages, next to what seem to be legitimate tutorial websites, next to h̶o̶t̶ 0xd0ff9s in my area… what are these results?! And can anyone just create whatever subdomains they want? If so, how? I want to join into the co.ws “fun” as well! (And I did eventually figure out how to, so keep reading until the end.)

But then I realized something… The domain was hosted on GitHub Pages servers, BUT it wasn’t verified! This means that ANYONE can create a GitHub Pages site under any subdomain on that domain without permission and with absolutely zero verification. And even worse, if someone finds a way to temporarily knock out your GitHub account or GitHub Pages site, they can also create a GitHub Pages site and use your main domain to do whatever they want.

I cannot stress this enough, VERIFY YOUR GITHUB PAGES DOMAINS! GitHub unfortunately does not make this more obvious, because, in their “Managing a custom domain for your GitHub Pages site” article, they only briefly, and most importantely vaguely, mention domain takeovers, right next to some complicated talk about wildcard DNS records:

The GitHub docs warning you not to use wildcard DNS records.

And worse of all, they DO eventually mention the fact that if you don’t verify your domain, you’re prone to domain takeovers, but they forget to mention something very important!

The GitHub docs on how to secure your custom domain.

As you can see in the screenshot, the docs say that:

If your GitHub Pages site is disabled but has a custom domain set up, it is at risk of a domain takeover. Having a custom domain configured with your DNS provider while your site is disabled could result in someone else hosting a site on one of your subdomains.

This is technically true: like I said before, if someone manages to shut down your GitHub Pages site with a non-verified domain, they can use that domain however they like. However, not only can the… takeoverers… host a site on a subdomain, but also on your main domain!

AND ALSO, VERY IMPORTANTLY, THEY CAN HOST A SITE ON ANY (not already existing) SUBDOMAIN THEY WANT, EVEN IF YOUR MAIN SITE IS ACTIVE. IF IT’S NOT VERIFIED, THEY CAN USE ANY SUBDOMAIN THEY WANT, NO MATTER WHAT.

GitHub should REALLY update their documentation on this, or else people are just going to keep ignoring this verification feature and get their domains taken over and used for free by anyone for whatever they want. For example, a phishing scammer could spin up a website on a subdomain of an already well-established domain registered a long time ago. This would help them get past Safe Browsing and similar security tools, and would make their scam website and subdomain look more trustworthy on the surface. Oh no, what’s that? Domain got reported because of our takeover? Oops, we just ruined that domain’s reputation! Too bad, time to move to another one. (Remember, it’s as simple as going into the GitHub Pages settings and changing the domain name. Or it could be done even faster by just editing the “CNAME” file at the root of the GitHub Pages branch.)

It’s Free (unethical) Real Estate, bitches

Anyway, if you want to verify your GitHub Pages domain (which you ABSOLUTELY SHOULD ASAP) I’ve made a little tutorial for Cloudflare users:

Or you can also follow GitHub’s tutorial:

Now that I’ve basically roasted the shit out of GitHub though, it’s time to exploit this little “vulnerability” of theirs to spin up a site on “tu.co.ws”. Tucows hadn’t yet, so why not do it myself, am I right?
(I am REALLY sorry Team Tucows)

Although I just wrote a 5-page essay on how to “hack” someone’s GitHub Pages domain, I was still in utter shock at how simple it was. I just created a new GitHub repo, made a super quick index.html file, then I enabled GitHub Pages and changed the domain to “tu.co.ws”. Before I knew it, my fake Tucows website was up.

A browser window on the website “tu.co.ws”, reading: “if this worked, welcome to tu.co.ws”, and below it, in small text: “tucows pls don’t sue me”
look at that! i hacked into the mainframe, and it didn’t even take any movie magic to do!

Man, why do people in this industry spend hundreds of thousands of dollars on rare 2-letter domain names, when they can just hack into some mysterious domain on GitHub Pages? In all seriousness though, if I were an asshole, I could’ve used this domain for way worse purposes. Like… oh I don’t know… a phishing scam targeting Tucows customers! With a short-ass domain like that, it looks way more believable than if I were to register something like “tucows-login.online”. But here’s the thing: buying “tucows-login.online” would cost me money, and I’d have to change the DNS records, or maybe even the nameservers entirely, then I’d have to wait up to 24 hours for those changes to propagate, blah, blah, blah… But by effectively stealing someone else’s domain that was incorrectly configured on a PUBLIC website hosting platform, I have skipped all of those steps. Money to buy a domain? Don’t need it. Waiting for all of those DNS records to propagate? Nope, it took me less than 5 minutes to host something on the domain. And what’s great is that the main domain (co.ws) was registered a long time ago, making it seem more trustworthy!

You know what, I can’t take this dogshit anymore. This is the end of the article. If you actually got to this point because you read this entire article, you’re an absolute legend. Thank you for reading, and have a fantastic day.

…oh, and uhhhh… verify your domains. Please.

--

--