GitHub Prevents More Attack with Moving the Pages to GitHub.io
GitHub has announced that it’s moving GitHub Pages to a new domain, github.io, in an effort to prevent phishing and cross-site reference forgery (CSRF) attacks.
“This is a security measure aimed at removing potential vectors for cross domain attacks targeting the main github.com session as well as vectors for phishing attacks relying on the presence of the ‘github.com’ domain to build a false sense of trust in malicious websites,” GitHub stated.
Session fixation and CSRF vulnerabilities on Pages sites hosted on github.com subdomains could have allowed an attacker to deny access to github.com and to fixate a user’s CSRF token by writing domain cookies.
Although it hasn’t found any evidence of accounts being compromised because of such vulnerabilities, GitHub wants to mitigate the attack vectors.