I just attempted this myself by creating an issue, commenting a file, copying the link and not submitting the issue.<p>It seems to work initially, but then 5m later the file gets deleted and the link leads to a dead s3 asset page.<p>So I believe this is fixed. Though the solutions suggested below are crafty, trying to reproduce myself shows me this has been addressed by the GH team
Pretty standard stuff I would say.<p>Back in the day when I worked in this field malware writers regularly used things like Youtube as blob-storage and Instagram comments as C2 server mechanism.<p>Hiding in plain sight can be very effective.
This seems simple to fix - deactivate all links that didn’t become part of a published comment.<p>I’m sure this is hard, especially at that scale - then again it seems doable eventually.
The obvious fix is to remove the repo information, but do you grandfather in old files by redirecting to the new URL?<p>I’d say no, which I guarantee will break some legitimate packages that depend on files uploaded in GitHub comments.
GitHub has githubusercontent.com. Why was this domain not used for these uploads? Or did image uploads in comments predate that domain?<p>But either way putting the repo in the URL seems completely unnecessary. If you need to track ownership you can still do that in the backing database.
This is yet another example of hosting hostile content on an authoritative site.
I still have a service running to track this.[1] It's a join of PhishTank and a somewhat dated list of major sites. Google is by far the worst offender. Hosting phishing sites in Google Sheets, etc. is not unusual. Yahoo and Microsoft used to be on that list, but they got better at kicking off hostile content. Adobe (via Adobe Express) has quite a few entries.<p>[1] <a href="http://sitetruth.com/reports/phishes.html" rel="nofollow">http://sitetruth.com/reports/phishes.html</a>
People have also been using the fact that commit data inside of PRs can never be deleted (you must keep the URL though), to distribute pirated content (or links to it) for years now.