We were notified by security researcher Shay Ben Tikva that one of our product domains (www.thethingsstack.io
) was incorrectly configured so that it could be serving any third-party content.
The issue was that we created a CNAME record on the www subdomain of thethingsstack.io pointing to GitHub pages. We did not register that subdomain with GitHub pages. By the way GitHub Pages work, anyone else could have claimed the subdomain to point to their content.
We thank Shay Ben Tikva for using responsible disclosure and making The Things Network a secure place. Please read everything about our responsible disclosure policy at https://www.thethingsnetwork.org/responsible-disclosure