Google Apps Related to Expired Domains Can Be Hacked: Security Breach

I was going through TechCrunch when I just came across a post which explains how expired domains related to other online accounts such as Google Apps can grant access to your private information. This was found out by British developer and hacker Ben Reyes who wrote a post about it. Thanks to Reyes for providing such useful information for Website Owners.
So you might be wondering how it could be hacked. Don’t hope so but let us consider that I am the hacker. Someone had bought from GoDaddy and registered it for Google Apps. He doesn’t need it any more and hence the domain gets expired after a year or whatever the time period could be.  I buy and try to register for Google Apps again. As expected, I would face an error that the domain is already registered and I need to contact the domain administrator for using Google Apps with already registered

Reclaiming the domain

Now, google provides me with a way to reclaim the domain which is a simple process. I need to prove that I own the domain which I actually do and change some DNS settings which can easily be done from the Domain Control Panel. The DNS settings are changed in a few hours and once Google recognizes this change, then HURRAY! I need to specify as to which administrator I need to login. I pick an one, set a new password and I am signed into Google Apps which has the essential data of the person who owned the domain before I did.Google Apps Email Hacked

What could I do accessing his old email address?

I guess now it would be quite easy for you to determine how far I can place my hands on the private data of the previous owner of my domain. I can access his email, calendar and contacts. In fact, I can pretend as if I am the same person who owned the domain previously and attack not only the previous owner but also other organizations connected with him.

Along with this I can also access other accounts associated with that email address which could be Amazon. Using this I can access his files on Amazon S3 and EC2 and not to forget the Name, Address, PostCode too along with his last 4 digits on the credit card. And if the person was related to me, I could answer the security questions which PayPal would put forward on forgetting the password as I already have the last 4 digits on the credit card.

Apart from this I could also gain access to his DropBox files, Facebook account and also access to email accounts of the employees (if any).

So what do you infer from this? Don’t let your domain expire with identities such as Google Apps associated with it.

P.S I am not a hacker 😛

Leave a Comment