Google Apps Related to Expired Domains Can Be Hacked: Security Breach

I was going through TechCrunch when I just came across a post which explains how expired domains related to other online accounts such as Google Apps can grant access to your private information. This was found out by British developer and hacker Ben Reyes who wrote a post about it. Thanks to Reyes for providing such useful information for Website Owners.
So you might be wondering how it could be hacked. Don’t hope so but let us consider that I am the hacker. Someone had bought http://blogotechblog.com from GoDaddy and registered it for Google Apps. He doesn’t need it any more and hence the domain gets expired after a year or whatever the time period could be.  I buy http://blogotechblog.com and try to register for Google Apps again. As expected, I would face an error that the domain is already registered and I need to contact the domain administrator for using Google Apps with blogotechblog.com.Domain already registered

Reclaiming the domain

Now, google provides me with a way to reclaim the domain which is a simple process. I need to prove that I own the domain which I actually do and change some DNS settings which can easily be done from the Domain Control Panel. The DNS settings are changed in a few hours and once Google recognizes this change, then HURRAY! I need to specify as to which administrator I need to login. I pick an one, set a new password and I am signed into Google Apps which has the essential data of the person who owned the domain before I did.Google Apps Email Hacked

What could I do accessing his old email address?

I guess now it would be quite easy for you to determine how far I can place my hands on the private data of the previous owner of my domain. I can access his email, calendar and contacts. In fact, I can pretend as if I am the same person who owned the domain previously and attack not only the previous owner but also other organizations connected with him.

Along with this I can also access other accounts associated with that email address which could be Amazon. Using this I can access his files on Amazon S3 and EC2 and not to forget the Name, Address, PostCode too along with his last 4 digits on the credit card. And if the person was related to me, I could answer the security questions which PayPal would put forward on forgetting the password as I already have the last 4 digits on the credit card.

Apart from this I could also gain access to his DropBox files, Facebook account and also access to email accounts of the employees (if any).

So what do you infer from this? Don’t let your domain expire with identities such as Google Apps associated with it.

P.S I am not a hacker :P

  • http://www.auto-power-girl.com Carla

    This is very useful to know. I like the PS :D :))

    • http://www.blogotechblog.com Lalit Indoria

      Hahaha :D Thanks :)

  • olaf

    I currently had a client who switched his hosting service to me. They didn’t tell me they were using google apps after several times of me asking. So when I changed nameservers I also went to create a google apps account for them. However, when I entered one of the users account info, it informed me that the user was already created and I had to either log in as the user or reclaim the domain. Reading your post, I felt it would be safe to reclaim the domain since afterall I didn’t want any users to lose any of their email histories. However, as I finished reclaiming the domain I found myself with an empty google apps account and NO information from ANY of the previous users. Instead I had to create accounts for each of them and those accounts did not contain in histories either. I’m wondering if google has done something to prevent what you were describing and if there is any way to recover any of the histories that were lost. I don’t understand why it happened this way if google apps has an account already setup, it should have connected me to the account when I went to reclaim the domain. Please advise – anyone. thanks!

    • http://www.blogotechblog.com Lalit Indoria

      Hi Olaf,
      Did your clients have any email histories? Perhaps your client might have created a Google Apps account and forgotten it totally! Hence you could see an empty account!

    • Olaf

      no, they were actively using their accounts. However, they’re not very technical. Things were configured for them by their previous webmaster, who became very difficult to deal with so they asked me to host things. They’re running a WP site and I asked for a database backup, site backup and any information regarding how their mail was being handled. 3 weeks later and a lot of delaying on his part I finally got things switched. However, even though I specifically said I would setup a google apps account, he never commented on the fact that there was one already setup. The weird thing was that google allowed me to setup a new apps account on their domain. Now, they have no access to their previous @domain.com emails since its going to the new apps account. But when I read this post, suggesting that even if the domain has been expired you can rebuy the domain and somehow everything would still be there, i thought it would make my task easier. When you setup the account it doesn’t give you the option to “choose” into which admin account to log into and even if you setup one with the same name as before, it requests to reclaim the domain but doesn’t bring up any previous data.

    • http://www.blogotechblog.com Lalit Indoria

      Hi Olaf,
      This issue is related to expired domains, however your client’s domain still seems to be running. So if you try to set up Google Apps again, a new one will be set up. If the domain had expired, the emails and other essential details would be retained! I got this from TechCrunch. Hope you understand!

    • http://www.blogotechblog.com Lalit Indoria

      Olaf, the issue has been fixed by Google [as said by Ben Reyes]. Google had been working on it from the past 1-2 months and they would have fixed it after this issue went public.

  • vikas

    Domain theft? Weird you hackers! I don’t like this.