Google Apps flaw leaks personal details on domain holders

News by Max Cooter

Thousands of domain name holders have had their personal details, including addresses and phone numbers, revealed on the internet, thanks to a software flaw that went unnoticed for two years.

The vulnerability, which affects Google App users, was uncovered by Cisco Talos security researchers recently, although the original problem dates back to 2013. It affects customers whose domain names are up for renewal and only those who registered through the eNom registrar.

The real kicker is that it affects companies who specifically opted for the Whois privacy setting; thanks to the flaw, personal details are now accessible all over the internet. It's not a minor issue for the company, according to Cisco Talos there are 282,867 domains affected, or roughly 94 percent of the registrations handled by eNom.

According to independent security consultant, Graham Cluley, the fact that it was not noticed for a couple of years was not surprising. “It's always disappointing when a vulnerability can lurk unnoticed for years and years. Just think of ShellShock, for instance, which was in Bash for 25 years before anyone spotted it,” he said.

The flaw is a major headache for Google because the availability of products like Domain Tools has made the tracking of individual records even easier.

UK users can breathe a little easier however as the WHOIS database is handled in a slightly different manner on this side of the Atlantic. “We're not currently aware of any Nominet customers affected by this breach,” said Simon McCalla, chief technology officer at Nominet. “Our WHOIS differs significantly from the situation in .com – we publish much less information in the .uk WHOIS. Only the contact name and address of domain registrants are published, and private individuals can opt-out of having their address published for free. We never publish email addresses or phone numbers.”

Nominet is in the process of overhauling its privacy procedures and is contacting customers for approval of the changes. McCalla made clear, however, that these changes had nothing to do with the Google vulnerability. “We don't see this breach having any implications for our proposed WHOIS data disclosure policy and were not aware of it when we formulated the proposal,” he said.

What's not quite clear is where the fault lay: was it an issue with Google itself or eNom's procedures? A Google spokeswoman would not comment on this nor would she comment as to whether there were any other undiscovered flaws.  The company released a statement about the vulnerability: “A security researcher recently reported a defect via our Vulnerability Rewards Programme affecting Google Apps' integration with the Enom domain registration API. We identified the root cause, made the appropriate fixes, and we're communicating with affected Apps customers. We apologise for any issues this may have caused”, but would not expand any further.

Cluley, however, expressed a concern about what else lies hidden.Clearly what occurred was a very big mistake, and should never have happened in the first place.  Whenever I hear stories like this I always think, I wonder what else has gone wrong that we don't still know."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews