Leak started in mid-2013, affects eNom registrar domains

Mar 13, 2015 09:07 GMT  ·  By

Private information belonging to 282,867 domains registered through the Google Apps system became publicly available, exposing it to risks ranging from spam to identity theft.

Google Apps offers business organizations the possibility to purchase domain names from one of Google’s partners, benefits consisting in easy setup and management of the associated services.

Only records of renewed domains have been leaked

The domains have been registered through registrar eNom and security researchers said on Thursday that the number of records leaked represented about 94% from a total of 305,925.

The issue, which persisted for a period of almost two years, occurred upon renewing the domains because of a software failure that turned the protected records into public information achievable through querying whois databases.

In a letter sent to Google Apps administrators on Tuesday, Google explained the nature of the problem, saying that “due to a software defect in the Google Apps domain renewal system, eNom’s unlisted registration service was not extended when your domain registration was renewed.”

Whois privacy protection for domain records is a paid feature that keeps details such as name, physical address, email, and phone number hidden from the public. This security measure prevents the data from falling into the wrong hands and being used for malicious purposes.

Once info becomes public, it is hard to remove it from the web

Cisco Systems’ Talos researcher Craig Williams discovered the problem on February 19, 2015, and reported it to the Google Apps team.

About a week later, the search giant reported to the researcher that the problem was solved and requested five to ten business days to make sure that only the domains registered through eNom were affected.

However, once the information reaches the public side of the Internet, securing it again is a tough job since it is part of whois caches and anyone with access to these databases can extract it.

Cisco researchers say that this whois information leak has implications not only for the good guys but also for the bad ones, as domains associated with malicious activity have been identified.

“For example, the domain ‘federalbureauinvestigations.com’ has an extremely poor web reputation score. Another domain, ‘hfcbankonline.com,’ also possesses a similarly poor web reputation score (we can only speculate as to the reason),” they write in a blog post published on Thursday.

On the other hand, organizations running a legitimate business are at risk of falling victim to spear-phishing, especially since the threat actor can increase credibility with valid information like phone number, addresses and real employee names.

Google informs admins of domain record leak
Google informs admins of domain record leak

Photo Gallery (2 Images)

Private domain records returned by public whois queries
Google informs admins of domain record leak
Open gallery