A software glitch exposed the private WHOIS information of 94 percent of the nearly 306,000 domains registered via Google App using eNom, Cisco Talos found.
A software glitch exposed the private WHOIS information of 94 percent of the nearly 306,000 domains registered via Google App using eNom, Cisco Talos found.

A software defect in Google Apps's domain registration system, has exposed the private WHOIS information of 94 percent of the nearly 306,000 domains registered via Google App using eNom, according to a blog post by researchers at Cisco Talos, who discovered the glitch while exploring another research project.

Craig Williams, security outreach manager at Cisco Talos, told SCMagazine.com in a Friday interview that he “stumbled across this weird data” that showed privacy settings were turned off for 89-90 percent of the domains he observed. “It's not uncommon for [larger] businesses to have administrative privacy settings off,” he said “But it is unusual at mom and pop businesses.”

What Williams, one of the co-authors of the blog post, had found was a glitch that turned off privacy when the domain registration was renewed. The post included a redacted sample of the WHOIS information exposed noting on one screen that “the domain has opted into the privacy protection service.” But a more recent record showed “where the protection and provided anonymity was removed,” the post said. “It appears that issue occurred when the domains were re-registered.”

Without WHOIS privacy protection, which users must request and potentially pay extra for, information associated with the domain registration, “such as name, physical address, email, and phone number becomes exposed to everyone on the Internet,” the researchers wrote. “It's possible to mine this information and leverage it for malicious purposes, such as spamming, spear phishing or other potential forms of harassment.”

After finding the exposed domains, Williams “reached out to the Google Apps team” and after about an hour “sent the message off to the Google security team.” He received a reply to “sit tight” about 12 hours later. Williams sent detailed information about his findings gathered from DomainTools WHOIS database to Google, showing that “after mid-2013 almost everything [had] privacy protection off.”

Google restored privacy to the domains within days, said Williams, applauding what he called “a great example” of disclosure and response.

Williams said businesses should take steps to protect themselves. SMBs, “if feasible” should opt to use email security appliances. “Mom and pops don't need appliances,” he said. “AV or spam software — and anything that adds layers to their defense — will help them.”

And he urged responsible browsing, cautioning users not to click on links with URLs that look suspicious, though he did note that because “some of the information may be correct” it might be difficult to determine suspect links.