GitHub apparently doesn't care about account security and wants user's accounts hacked and also organization's and individual's Intellectual Property stolen

[Theaxiom]

Select Topic Area

Product Feedback

Body

Description:

I have discovered a critical security vulnerability on GitHub.com that requires immediate action. This is the only place I have found to contact GitHub in regards to this issue.

I have discovered that the entirety of GitHub.com is available over http (unsecured) at the following IP address:
http://43.128.62.24:91/Theaxiom

This must be rectified immediately.

My original report of this issue was here: https://support.github.com/ticket/personal/0/3398324

Steps To Reproduce:

(Add details for how we can reproduce the issue)

1.Go to the following unprotected URL: http://43.128.62.24:91/Theaxiom
1.You will see my GitHub profile

1. Repeat the step for any repo or profile on GitHub

Impact

The hacker can perform MITM attacks, as well as view/access personal and confidential information, such as passwords.

---

I reported this issue both to GitHub support and through their hacker bounty program and was essentially dismissed. See attached screenshots.

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐

[Theaxiom]

3 weeks and not so much as a peep.

[christiangroothuis]

When looking at the IP's Censys overview https://search.censys.io/hosts/43.128.62.24, it seems it's just someone self-hosting at their residential IP address and running a reverse proxy to GitHub. So I assume there is not much GitHub themselves can do about this, right?

[Theaxiom]

@christiangroothuis They can disallow the proxying, there are ways to prevent it such as by using special SSL certificates.

[christiangroothuis]

Could you explain what you mean with special SSL certificates? Since the reverse proxy is just using HTTP between the client and itself, and then connects to GitHub over normal HTTPS, it’s not interfering with GitHub’s certificates or TLS directly. I'd assume that as far as GitHub knows, it’s just getting standard HTTPS requests from a client IP.
It does seem like forms are not working over this proxy. Probably because Github uses secure cookies for CSRF or some other secure cookie-based validation, which then wouldn't be forwarded over HTTP.

[Theaxiom]

https://serverfault.com/questions/905166/how-to-prevent-a-third-party-from-proxying-an-https-website

There are many ways, especially for a company as large as Microsoft/GitHub.

[abbybiswas]

I am having the same issue and the thing is when you search my company website that ip link shows up additional seem like a bot github account is trying to confuse focs trying to find my actual repo for my org

[Theaxiom]

It's actually a proxy setup on someone's home computer likely and it is originating from Japan. It is called a MITM (man-in-the-middle) and if you input your user credentials into that IP site your credentials can get stolen.

1. It is HTTP (not HTTPS)
2. They can simply steal your credentials in transit while they proxy your requests

It is best to avoid using that site, unfortunately GitHub refuses to do anything about it.

[NotPunchnox]

The browser suggests this link several times and I think GitHub should take action as it seems to be used to steal information. Also, when searching for the IP on the browser, the most visited page is the login page ( on Brave at least )

[PPPDUD]

What's the issue here? As long as you don't use that proxy, your information can't be stolen. GitHub should just add some JS that warns you on the login page if you're not going through the official site.

[Leorev01]

I agree

[Theaxiom]

Neither of you obviously have any experience in security engineering. You cannot simply rely on people to "know not to do something in order to stay safe" -- it is the duty and the responsibility of these companies to protect their user's security and privacy, instead of being negligent.

[PPPDUD]

Neither of you obviously have any experience in security engineering. You cannot simply rely on people to "know not to do something in order to stay safe" -- it is the duty and the responsibility of these companies to protect their user's security and privacy, instead of being negligent.

If someone on GitHub of all places ignores a massive warning saying "DO NOT ENTER YOUR CREDENTIALS HERE", it's really on them for getting hacked.

[PPPDUD]

In addition, why would you put proprietary code on a free software site and trust that nothing will happen to it? Host your own Git server at that point.

[Leorev01]

How did you find that URL, I doubt majority of people will stumble into it, and if they do, im sure they will see the URL and not use it

[kendofriendo]

first result on google

[Deveshshukla36]

I don't completely agree but on some places it does it

[Saggre]

I found that IP on the first page of some Google results. That is another problem.

[PPPDUD]

I agree that it is a problem, but it is a problem that Google needs to solve, not GitHub.

[Theaxiom]

It appears that they fixed the leak (nearly a year later). I am closing this discussion now.