A wildcard DNS record pointing immersivepoints.com to GitHub Pages let anonymous actors spin up scam subdomains like kafka.immersivepoints.com without any verification.
Key Takeaways
GitHub resolves any domain for any repo with a matching CNAME file, so a wildcard DNS entry exposes all subdomains to hijacking by strangers.
The abuse came from a private GitHub repository, making it impossible to flag or identify the specific repo.
Tools like can-i-take-over-xyz on GitHub already enumerate domains vulnerable to this subdomain takeover pattern.
GitHub does offer domain verification via a TXT record in account settings, but the feature is buried and no warning appears at the repository level if it is skipped.
The author only discovered the abuse because Google Search Console sent a new-owner alert; without it, the scam subdomains would have gone unnoticed.
Hacker News Comment Review
Commenters agree the root fix belongs on GitHub’s side: require domain owners to add a verification TXT record before any repo can claim a subdomain, mirroring how other platforms handle DNS ownership proof.
