A security researcher hijacked hundreds of GitLab domains in just a few seconds by exploiting a weakness in how the company handles domain verification — a security issue that the company has now fixed. GitLab, a web-based git repository manager that lets developers track and collaborate on source code and project development, also allows users to host their own content and projects with a custom domain name. But the company said in a security notification on February 5 that no validation was being performed when a user added a custom domain to their GitLab accounts. In the little time that a custom domain points to a recently deleted or unclaimed GitLab repo that will be added later, the domain can be hijacked.
ORIGINAL SOURCE: ZDNet