Google leaked the complete hidden whois data attached to more than 282,000 domains registered through the company’s Google Apps for Work service, a breach that could bite good and bad guys alike.
The 282,867 domains counted by Cisco Systems’ researchers account for 94 percent of the addresses Google Apps has registered through a partnership with registrar eNom. Among the services is one that charges an additional $6 per year to shield from public view all personal information included in domain name whois records. Rather than being published publicly, the information is promised to remain in the hands of eNom except when it receives a court order to turn it over. (The hidden service was free to Google App users.)
Starting in mid 2013, a software defect in Google Apps started leaking the data, including names, phone numbers, physical addresses, e-mail addresses, and more. The bug caused the data to become public once a domain registration was renewed. Cisco’s Talos Security Intelligence and Research Group discovered it on February 19, and five days later the leak was plugged, slightly shy of two years after it first sprung.
Whois data is notoriously unreliable, as is clear from all the obviously fake names, addresses, and other data that’s contained in public whois records. Still, it’s reasonable to assume that some people might be more forthcoming when using a supposedly privacy-enhancing service Google claimed hid such data. Even in cases where people falsified records, the records still might provide important clues about the identities of the people who made them. Often when data isn’t pseudo-randomized, it follows patterns that can link the creator to a particular group or other Internet record. As Cisco researchers Nick Biasini, Alex Chiu, Jaeson Schultz, Craig Williams, and William McVey wrote:
The reality of this WHOIS information leak is that it exposed the registration information of hundreds of thousands of registration records that had opted into privacy protection without their knowledge or consent to the entire Internet. This information will be available permanently as a number of services keep WHOIS information archived.
Cisco Talos has already identified many affected domains that we have linked to malicious activity. For example, looking at some of the unmasked domains possessing very poor web reputation scores, we can see several potential threat actors who might have some ‘splaining to do. For example, the domain “federalbureauinvestigations.com” has an extremely poor web reputation score. Another domain, “hfcbankonline.com”, also possesses a similarly poor web reputation score (we can only speculate as to the reason). Of course, it is well-known that many WHOIS registration details can easily be forged. In the event that the WHOIS record clearly contains false data, that information can still be used for the sake of threat attribution, as was the case of the String of “Paerls” investigation.
On the other end of the spectrum are domains registered using WHOIS privacy protection for quite legitimate reasons. The obvious risk here is that some of these individuals who have been unmasked may now be in some form of danger as a result of their connection with the domain registration. Additionally, threat actors may use domain registration information for malicious purposes. For example, sending targeted spear phish emails containing the victim’s name, address, and phone number to make the phish seem even more authentic. As eNom points out, identity theft is also a possibility. To best protect themselves users are urged to adopt safe browsing habits and make use of layered defenses like antivirus and antispam technology.
Google began warning Google Apps customers of the breach on Thursday night. An official e-mail reads:
Dear Google Apps Administrator,
We are writing to notify you of a software defect in Google Apps’ domain registration system that affected your account. We are sorry that this defect occurred. We want to inform you of the incident and the remedial actions we have taken to resolve it.
When the unlisted registration option was selected, your domain registration information was not included in the WHOIS directory for the first year. However, due to a software defect in the Google Apps domain renewal system, eNom’s unlisted registration service was not extended when your domain registration was renewed. As a result, upon renewal and from then on forward, your registration information was listed publicly in the WHOIS directory.
It’s not particularly easy for the uninitiated to get bulk access to the 282,000 whois exposed records, especially now that two weeks have passed since the data has once again been hidden. Registrars make it difficult to download mass numbers of records, but as the Cisco researchers point out, the falsified data is now a permanent part of the Internet record that won’t be hard for determined people to find. It wouldn’t be surprising if now-hidden records begin selling in the black market soon.
Google’s breathtaking failure is a potent reminder why in most cases people do well to provide false information when registering for anything online. In some cases, accurate information is required. More often than not, things work fine with fields left blank or filled in with random characters. It’s hard to know just how many people will be bitten by this epic blunder, but even if it’s only 10 percent of those affected, that’s a hell of a price.
Update: A Google spokesman said the bug resided in the way Google Apps integrated with eNom’s domain registration program interface. It was reported through Google’s Vulnerability Rewards Program. The spokesman said the root cause has been identified and fixed.