280,000 Google Apps Domains Hit by eNOM Info Leak

Domain owner names, addresses and phone numbers that were supposed to be kept private with Whois privacy protection were not.

information leak

Cisco's Talos research group reported March 12 that up to 282,867 Google Apps domains registered by eNom are at risk from a potential information leak. The information leakage is that domain owner names, addresses and phone numbers that were supposed to be protected with Whois privacy protection were not, in fact, protected.

The way the Internet works, every domain name needs to have contact information associated with it, and all that information is generally available over a public Whois server lookup. There are many public Whois server lookup services on the Internet today, for example https://www.whois.net. Over the years, some domain owners have been concerned that putting their contact information in a publicly accessible location represents a potential privacy risk. That concern has led to the use of Whois privacy services, which mask the domain owner information, substituting information from the Whois privacy service.

In the Google Apps case, Cisco's researchers found that 282,867 domains that were registered via eNom that were supposed to have Whois privacy enabled did not have their information protected.

"A security researcher recently reported a defect via our Vulnerability Rewards Program affecting Google Apps' integration with the eNOM domain registration API," a Google spokesperson told eWEEK. "We identified the root cause, made the appropriate fixes and communicated this with affected Apps customers."

Google Apps uses multiple domain registration partners, including GoDaddy. The Whois Privacy issue, however, only impacted Google Apps customers with domains at eNom. Not all Google Apps domains registered via eNom are at risk. Only those customers that were renewing a domain were impacted by this issue, and Google Apps customers who registered their domain in the last year through eNom were not affected.

Cisco's research found that the unmasking likely first started in mid-2013.

"We were unaware of the issue until I discovered it on Feb 19, 2014," Craig Williams, senior technical leader, Cisco Talos told eWEEK. "We have the ability to look back and see when the issue seems to have begun occurring."

Williams noted that according to the email Google sent affected customers, the issue occurred due to "a software defect in the Google Apps domain renewal system; eNom's unlisted registration service was not extended when your domain registration was renewed."

"So, basically, as domains began to renew, the privacy settings were turned off," Williams said. "The information was available to anyone until we notified Google and the issue was resolved."

Given that Whois server data can be cached for archival purposes, even after the issue has been fixed, the disclosed information could still potentially be discovered and retrieved.

"Now, only people with the ability to look at historic Whois information have the ability to look at the data," Williams said. "The problem is that this information will never go away; affected users will need to remain vigilant since this would allow certain attacks, like spear-phishing, to be more effective."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.