The registration details for more than 280,000 protected domains have been made publicly available due to a flaw in the Google Apps domain renewal system, Cisco reported on Thursday.
Google Apps users can acquire new domains from third-party registrars, such as eNom and GoDaddy, that are in a partnership with the search giant. eNom provides a paid service called ID Protect, which allows domain owners to hide their WHOIS data.
WHOIS data includes the registrant’s name, physical address, email address, and phone number. This information can be useful to spammers and even identity thieves, which is why many domain owners enable privacy protection services.
eNom’s privacy protection service worked properly when it was first activated. However, according to Cisco, the protection was removed starting with mid-2013 once the domains were renewed, making registration information publicly available in the WHOIS directory.
Cisco has determined that the issue affected roughly 94% of the 305,000 domains registered by Google Apps users through eNom.
The issue was discovered by Cisco researchers on February 19. Google addressed the error less than one week later and notified affected customers on March 12.
In the notification sent out to customers, Google blamed the incident on a “software defect” in the Google Apps domain renewal system.
“A security researcher recently reported a defect via our Vulnerability Rewards Program affecting Google Apps’ integration with the Enom domain registration API. We identified the root cause, made the appropriate fixes, and we’re communicating with affected Apps customers. We apologize for any issues this may have caused,” a Google spokesperson told SecurityWeek.
“The reality of this WHOIS information leak is that it exposed the registration information of hundreds of thousands of registration records that had opted into privacy protection without their knowledge or consent to the entire Internet. This information will be available permanently as a number of services keep WHOIS information archived,” Cisco researchers explained in a blog post.
As experts have pointed out, the incident has implications for both the good and the bad guys. On one hand, eNom’s privacy protection feature appears to have been activated for some suspicious websites, such as federalbureauinvestigations.com and hfcbankonline.com. While in most cases malicious actors use false information when registering domains, the data can still be useful for attribution purposes, Cisco noted.
On the other hand, experts believe that those who might have had a good reason to protect their registration information may be in some sort of danger as a result of the incident. The leaked details can be highly valuable for a threat actor since they can be used to create spear phishing emails that contain the target’s name and other personal information.
“Privacy remains a key issue of concern for individuals and organizations of all sizes. In the case of WHOIS data and privacy protection, it’s clear that there is value in protecting domain registration information from being published given the 94% opt-in rate,” Cisco said. “Organizations that handle any sensitive information must ensure that the appropriate systems are safeguarded and that the processes handle failure gracefully.”
*Updated with statement from Google