A bug within the popular Google Apps for Work service has resulted in the WHOIS data for more than 282,000 domains being exposed. The almost two-year old bug was discovered by the Cisco Talos Security Intelligence and Research Group and has since been patched by Google. According to Cisco Talos, 282,867 out of the 305,925 domains registered through Google Apps and a partnership with registrar eNom were affected.
WHOIS privacy protection allows individuals who register domains to keep their personal information private for numerous reasons, usually at an additional yearly cost. The researchers who discovered the issue state that:
The reality of this WHOIS information leak is that it exposed the registration information of hundreds of thousands of registration records that had opted into privacy protection without their knowledge or consent to the entire Internet. This information will be available permanently as a number of services keep WHOIS information archived.
When first registered, the domain did have the WHOIS privacy protection enabled. The issue arose when a domain was renewed, and a bug in the way Google and eNom’s systems were integrated resulted in the privacy protection portion not being renewed which resulted in exposing names, phone numbers, physical & e-mail addresses, and other information associated with the domain.
A Google spokesman told Ars Technica that
“the bug resided in the way Google Apps integrated with eNom’s domain registration program interface. It was reported through Google’s Vulnerability Rewards Program. The spokesman said the root cause has been identified and fixed.”
Google had also sent notifications to Google Apps customers on Thursday night.
Dear Google Apps Administrator,
We are writing to notify you of a software defect in Google Apps’ domain registration system that affected your account. We are sorry that this defect occurred. We want to inform you of the incident and the remedial actions we have taken to resolve it.
When the unlisted registration option was selected, your domain registration information was not included in the WHOIS directory for the first year. However, due to a software defect in the Google Apps domain renewal system, eNom’s unlisted registration service was not extended when your domain registration was renewed. As a result, upon renewal and from then on forward, your registration information was listed publicly in the WHOIS directory.
While many of the domains Cisco Talos identified are linked to malicious activity, like federalbureauinvestigations.com and hfcbankonline.com, other affected domains were registered using WHOIS privacy protection legitimately. Some of the people who registered these domains now have their personal data exposed and may be at risk for identity theft or targets of phishing email attempts. Unfortunately this information can’t be easily removed from the Internet as there are cached WHOIS databases in which the public details can be accessed.
What do you think about this bug with Google Apps for Work and domain registrations? Let us know in the comments below, or on Google+, Twitter, or Facebook.