Google Leaks Private Data from Hundreds of Thousands of Domains
The private information of hundreds of thousands of domain owners was inadvertently released to the public, thanks to a mistake by Google. The hidden Whois data for more than 282,000 domains was accidentally leaked by Google Apps, according to a report by the Web site Ars Technica.
The error affected domains that Google had registered with its partner, domain registrar eNom. Around 94 percent of the domains Google registered with eNom have been made public.
Whois is a query and response protocol that identifies the individual or company behind the registration of a domain name, essentially revealing the owner of a Web site. The error stems from a software bug in the Google Apps for Work platform that arose in 2013. As a result of the defect, the database used by Google Apps leaked the Whois data for a domain whenever the owner renewed it.
The Phone Book of the Internet
Although the bug has existed for almost two years, Google only recently became aware of the issue and took the steps necessary to fix it. The flaw was initially discovered in February by the Talos Security Intelligence and Research Group, a division of Cisco systems, as part of Google’s Vulnerability Rewards Program. The bug was patched within five days of its discovery, according to Ars Technica.
The information that was made public by the breach includes full names, street addresses, phone numbers and e-mail addresses for the domains. The information leak exposed the affected users to a number of possible threats, including being targeted by spammers, spearphishers, or other online threats, according to a blog post by the Talos Security team. In fact, eNom had specifically marketed itself to customers as providing the security precautions necessary to keep their information secure.
“Whois acts as the phone book of the Internet, allowing anyone to query who owns what domain and how to contact them,” the Cisco researchers wrote in a blog post. “This is a requirement prescribed by ICANN, who organizes and manages the conventions used in domain names. Domain Name privacy protections are used to mask this information from always being publicly displayed. Just as it’s possible to pay to have your name removed from the phonebook.”
Repercussions for Years
Unfortunately for the individuals and companies affected by the breach, the information that was leaked is now a permanent part of the Internet record, since there are a number of services that keep Whois data archived. However, the news is not entirely negative: the leak has also identified several domains that have already been linked to malicious activity.
Domains such as “federalbureauinvestigations.com” and “hfcbankonline.com” both have extremely low reputation scores, and are likely to be involved in activities that are not entirely on the up-and-up, according to the Talos team.
Nevertheless, many domain owners opt to keep their personal and corporate information private for completely legitimate reasons. Those parties are likely to experience significant repercussions as a result of the breach for years to come, as the information will remain available to anyone with access to a cached version of the Whois database.
“Organizations that handle any sensitive information must ensure that the appropriate systems are safeguarded and that the processes handle failure gracefully,” according to Talos. “In this instance, a simple check on domains changing state from being privacy protected to not being privacy protected could have identified the problem as it started to occur.”
Posted: 2015-03-13 @ 2:29pm PT
In this day and age of so many data leaks and breaches, this one is really minor. Whois data was meant to be public by design. Obviously the design is flawed and as a domain owner myself I received tons of phishing scams over the years. Rather than hammering on the bug at Google, it is time to redesign the whois database and make sure owners of domains can be contacted for intended purposes without collateral privacy damage.