This week I received a shocking email from Jinlin, that my personal website was hacked—It was redirected to some scam webpage and all my blogs were missing. No joking, website-being-hacked can still happen in 2024.

Well, except how can a static website be hacked? My web was hosted on the GitHub Page and the domain had been with the Google Domain, until very recently when it was sold to Squarespace, like many other services that Google had offered. As creepy as it may sound, like many other amateur cyber-attack-persecutory-delusion victims, I had invested heavily in multiple security defense tools such as hardware two-factor authentication tokens—Usually, these tools are designed for the broadest purpose and aimed at the widest generalization, but they often have zero practical values, which many statistical theories appear to carry in the same way—so I would be lying if there was not a hint of excitement when there was speculation of being attacked by some state-of-the-art professional hackers, such that my investment on Yubikey is not a pure waste. So I checked Squarespace, who had created an account for me on my behalf, the same way journals create an account for you before they send unsolicated review invitations. Surprisingly, both the Squarespace and the GitHub account seemed OK: I could log into the account; the DNS setting was ok; no evidence of any file change.

Later I found the issue: It turns out that I have been using a GitHub education account which provided unlimited access to private repos. One month ago, I received an email saying this education coupon would end soon. I tried to apply again using my UT badge, but Github denied the application for some unknown reason. At that time I thought it was OK to be downgraded to Github free since chatgpt had reassured me that there had been technically no difference between GitHub Pro and GitHub Free anymore now that both offered unlimited private repos. What ChatGPT did not tell me was that, Github would not render for a private page if it was owned by a free account. I did not know this rule until I contacted GitHub support today—it makes a lot of sense that chatgpt gave me a wrong answer since he cannot email GitHub support, and any normal person like chatgpt would certainly not imagine GitHub’s unwritten rules, right.

But, even if GitHub no longer rendered the private repo now that I was no longer a GitHub Pro user, at most my website would be inaccessible and should be a 404 error, why would it be ``hacked’’ to some gambling scam website?

Eventually, I figured out the reason. Here is how the GitHub page works on a custom domain: you buy a domain and set the DNS record of your website, specifically, the A and AAAA records. The final step is to tell the GitHub page about your new domain, and that is it. What I now find funny is that there is technically no verification from the GitHub side on whether you own the domain or not. The A and AAAA records link to the Github server, and these records are the same for all Github users. So a potential hacker only needs to scan all websites that have the A record (the DNS record is public) matching to the Github server, and then they can create their own GitHub page repo, claiming the ownership of other domains. As long as your GitHub page is inactive (either because of one bad pull request or because you forgot to subscribe to GitHub Pro in a free account), Github will release the hacker’s request and link your domain to the hacker’s repo.

Despite the inconvenience of briefly loss of my website, and the awkwardness that Google Search still indexes the hacker’s favicon for my website as I am typing, overall I find some intellectual fun in solving this whole mystery. We are in the profound age of AI, but I never see any fear of AI taking over humanity justified, as long as every semester I could always encounter technique issues with a projector. If an AI’s fate can be tied to Google‘s sophisticated decision to shut down its domain business operation, GitHub’s distinction on the fee and pro accounts, and GitHub’s careful and responsible verification procedure over the domain ownership ¹, humanity might be safer than we think!