As if you’re not scared enough of the Internet (and its potential to ravage your personal information), something comes along to make you even more paranoid. Just ask PlayStation users, or those that were on the receiving end of Firesheep’s eavesdropping. Today’s vulnerability du jour? Expired domains. The technical veterans among us are likely already familiar with this, but it seems that letting a domain name expire, especially those tied to other online accounts, exposes your personal information and makes you vulnerable to potential identity theft.
Today, British developer and hacker Ben Reyes wrote a post describing how he was able to use an expired domain to access to another person’s Gmail, Google calendar, contacts, and more, which then, in turn, allowed him to access further web accounts, like Amazon.
It started when Reyes recently attempted to link a newly registered domain to Google Apps. The Google Apps page immediately responded to the request, saying that the domain had already been registered. Thank you, try again. This was because the previous owner of the domain name had left it tied to Google Apps. So Reyes went through the domain reclamation process, proved he was the new owner, and shabang, he was granted access.
Once he signed in, the fun started. Google apps gave him a choice of two administrator accounts, so he chose one at random, picked a new password, and signed in. He then found himself gazing at the entire email history, calendars, and contacts owned by someone he didn’t know. If Reyes had been harboring malicious intentions, he presumably could have used this information to launch an attack on the person as well as the organizations the person had patronized.
He was able to quickly discover that the person in question was the owner of an Amazon Web Services account, so he sent Amazon a password reset request, changed the password, and was quickly granted access. Considering Amazon and most other online services simply require an email address to reclaim an account, you can see the potential for some serious identity theft here. Not only that, but with access to AWS, Reyes could easily recover the person’s name, address, and the last 4 digits of their credit card. Yikes.
Again, someone with a greater facility with the dark side could easily use the information above to squirm their way into the person’s PayPal account to steal further financial information, not to mention files and personal information stored on Dropbox and Facebook.
Reyes of course alerted the owner of the AWS account he had accessed, making them aware of their vulnerability — and to his blog post, which he had subsequently published on Hacker News. In fact, it turns out that the person in question is the senior lead at a well-funded and fairly well-known startup. So, if this can happen to someone with technical know-how, it can happen to anybody.
Reyes has also contacted Google to make them aware of the security loophole. Google has not yet given concrete word as to whether or not they’ve fixed the problem, but this just illuminates the larger issue at hand here, which is that he could have easily accessed the person’s Amazon account using a wildcard email address. Meaning that it’s pretty easy to steal your personal information through an expired domain linked to Google Apps.
According to Stuckdomains, there are more than 33 million expired domains on the Web. I think many of us have let a domain name or two expire, but clearly doing so with other accounts still attached to it poses a huge security risk. Even if an expired domain isn’t attached to Google Apps, one could still use, say, an Amazon account to gather personal info.
But Google Apps obviously provides an easier way for someone to discover what accounts are already tied to the domain. And this goes for the non-technical as well. You don’t have to be a hacker. Many of us legitimately tie domains to Google Apps and could experience the same.
Reyes and I agreed that this may cause VCs and investors (not to mention people across the board) to rush back to those forgotten domains to re-register — for the sake of preventing their email addresses from being leaked to eager young startups. (God forbid.) And more.
After all, a few users in the post’s comment section on Hacker News said that they’d already written scripts to scan all newly expired domain names to check to see if they’re connected with Google Apps. Megamark16 chimed in, saying, “It took me about 10 minutes to write a python script that grabs a list of recently expired domains and checks each domain to see if it’s a valid Google Apps domain. This is a pretty serious issue, if indeed it’s still possible to take ownership of accounts as the article suggests”.
From what we can tell, and from what Reyes has learned from Google, the problem still remains. “It’s scary to think with this information at hand, black hat hackers could potentially dig up a user’s personal information through their old domains. Programmers online are already discussing automated ways to find domains with information goldmines attached to them. This information can prevent people from getting caught with their pants down”.
So, pull your pants up, and monitor those expired domains. If you don’t, you may find yourself sponsoring an anonymous hacker’s paid vacation to Tahiti. Just ask Reyes, who is likely now spending time on his new Kindle, thanks to those friends he’s made through Google Apps.
While my headline may be a bit overzealous, as this is likely due to some lazy webmaster, or is an intentional design flaw, it’s obviously a big problem.
We’ll update as we learn more. Here’s the link to Reyes’ post, too, for reference.
Comment