←back to thread

Ghrc.io appears to be malicious

(bmitch.net)
407 points todsacerdoti | 4 comments | 24 Aug 25 23:27 UTC | HN request time: 2.502s | source
Show context
arjvik ◴[24 Aug 25 23:40 UTC] No.45008810[source]
Took the article pointing out that the c and r were transposed for me to even notice there was a problem!
replies(2): >>45008822 #>>45008942 #
echelon ◴[25 Aug 25 00:01 UTC] No.45008942[source]
The problem here is GitHub's terrible domain name.

The container registry has a horrible name.

replies(1): >>45008979 #
Gigachad ◴[25 Aug 25 00:07 UTC] No.45008979[source]
Why does it seem companies hate subdomains so much? Why is this not just registary.github.com or something? It's like they are trying to get people to fall for phishing by creating so many random domains.
replies(6): >>45009027 #>>45009048 #>>45009149 #>>45009221 #>>45009237 #>>45011982 #
dcrazy ◴[25 Aug 25 00:58 UTC] No.45009221[source]
It’s best security practice to host user-generated content on a separate domain to opt into browsers’ cross-domain security policies. Hence ghcr.io, githubusercontent.com, fbimg.com, etc.

https://www.reddit.com/r/webdev/comments/lg9xnm/why_do_some_...

replies(1): >>45010131 #
1. usr1106 ◴[25 Aug 25 04:14 UTC] No.45010131[source]
Not a web programmer, so know cross-domain only for hearsay :(

It does not seem to hinder e.g. Google using google.com, youtube.com, gmail.com, and several (many?) others to collect your data. Do you say security and privacy work differently here?

replies(1): >>45010203 #
2. missingcolours ◴[25 Aug 25 04:27 UTC] No.45010203[source]
In those cases, the company controls all of the code running on those sites, so it's desirable for them to share data and cookies in particular. (e.g. any google.com site can read your login cookie)

In the case of user data domains, intentionally in the design of the service or via a security hole, users may be able to execute code and read cookies (e.g. in JavaScript on a page hosted on githubusercontent.com) and that's undesirable.

replies(1): >>45010353 #
3. usr1106 ◴[25 Aug 25 04:57 UTC] No.45010353[source]
Sure, I see why as a company you don't want user data in your domain.

But if the different domain name gives good protection / isolation, why does Google still use completely different domains for different services with content controlled by them. I cannot believe they are interested in protecting users from data collection.

replies(1): >>45010500 #
4. plorkyeran ◴[25 Aug 25 05:25 UTC] No.45010500{3}[source]
YouTube was an acquisition that they didn’t rebrand. Google Video was on google.com. gmail.com redirects to mail.google.com, and only email addresses use the gmail domain to avoid appearing to be google employee emails.