Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Google Apps Bug Exposed Registration Data for 280,000 Domains

The registration details for more than 280,000 protected domains have been made publicly available due to a flaw in the Google Apps domain renewal system, Cisco reported on Thursday.

The registration details for more than 280,000 protected domains have been made publicly available due to a flaw in the Google Apps domain renewal system, Cisco reported on Thursday.

Google Apps users can acquire new domains from third-party registrars, such as eNom and GoDaddy, that are in a partnership with the search giant. eNom provides a paid service called ID Protect, which allows domain owners to hide their WHOIS data.

WHOIS data includes the registrant’s name, physical address, email address, and phone number. This information can be useful to spammers and even identity thieves, which is why many domain owners enable privacy protection services.

eNom’s privacy protection service worked properly when it was first activated. However, according to Cisco, the protection was removed starting with mid-2013 once the domains were renewed, making registration information publicly available in the WHOIS directory.

Cisco has determined that the issue affected roughly 94% of the 305,000 domains registered by Google Apps users through eNom.

The issue was discovered by Cisco researchers on February 19. Google addressed the error less than one week later and notified affected customers on March 12.

In the notification sent out to customers, Google blamed the incident on a “software defect” in the Google Apps domain renewal system.

“A security researcher recently reported a defect via our Vulnerability Rewards Program affecting Google Apps’ integration with the Enom domain registration API. We identified the root cause, made the appropriate fixes, and we’re communicating with affected Apps customers. We apologize for any issues this may have caused,” a Google spokesperson told SecurityWeek.

“The reality of this WHOIS information leak is that it exposed the registration information of hundreds of thousands of registration records that had opted into privacy protection without their knowledge or consent to the entire Internet. This information will be available permanently as a number of services keep WHOIS information archived,” Cisco researchers explained in a blog post.

As experts have pointed out, the incident has implications for both the good and the bad guys. On one hand, eNom’s privacy protection feature appears to have been activated for some suspicious websites, such as federalbureauinvestigations.com and hfcbankonline.com. While in most cases malicious actors use false information when registering domains, the data can still be useful for attribution purposes, Cisco noted.

On the other hand, experts believe that those who might have had a good reason to protect their registration information may be in some sort of danger as a result of the incident. The leaked details can be highly valuable for a threat actor since they can be used to create spear phishing emails that contain the target’s name and other personal information.

“Privacy remains a key issue of concern for individuals and organizations of all sizes. In the case of WHOIS data and privacy protection, it’s clear that there is value in protecting domain registration information from being published given the 94% opt-in rate,” Cisco said. “Organizations that handle any sensitive information must ensure that the appropriate systems are safeguarded and that the processes handle failure gracefully.”

*Updated with statement from Google

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Privacy

The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.

Privacy

A top U.S. intelligence official on Thursday urged Congress to renew sweeping powers granted to American spy agencies to surveil and examine communications, saying...

Compliance

San Francisco-based privacy compliance and data protection firm TrustArc on Wednesday announced that it raised $70 million in a Series D funding round.