A WoSign customer wanted to acquire a certificate for the server name med.ucf.edu, a subdomain of the University of Central Florida’s domain ucf.edu.
The customer was duly authorised to run this subdomain, which belongs to the College of Medicine, so WoSign was correct to approve it.
However (and, in hindsight, by good fortune), the customer also accidentally applied for a certificate for www.ucf.edu, presumably having mistyped www.med.ucf.edu.
To his surprise (I am guessing at the customer’s gender here), the second application was approved as well.
This turned out to be more than just a one-off, because the customer did a second test, using a certificate in the name of another domain he had the right to control, namely anaccount.github.com (and anaccount.github.io).
Deliberately following the same faulty path that he had followed by mistake in his previous application, he ended up with a vouched-for certificate for all of github.com, github.io, and www.github.io.
As these are the primary server names for the popular source code hosting service GitHub, this would have been a blunder with serious consequences if a crook were to have spotted this trick and acquired the dodgy GitHub certificate with cybercrime in mind.