Expiration Data
May 19, 2011
By jbourne
People interested in acquiring desirable domain names that are already registered often track when these names are about to expire, so that they can quickly register them as soon as they become available. For that reason, it is important for domain name owners to monitor when their domains are about to expire, and to ensure that the names they allow to expire are absolutely nonessential.
Aside from the risk of losing a domain you potentially wanted to keep, an article that appeared in TechCrunch this week points out another important reason to be cautious with expiring domains – they can expose your personal information and even put you at risk for identity theft.
The article relates the experience of Ben Reyes, a British developer and hacker who registered a recently expired domain name. When he attempted to link the domain with Google Apps, he discovered that the previous owner had left that domain tied to Google Apps. After going through the process to prove he was the new owner of the domain, Reyes was eventually granted access to the Google Apps of the domain’s previous owner. Once he signed in, he discovered he had access to the email history, calendar and contacts of a person he did not know.
Reyes also found that this individual owned an Amazon Web Services account, and through a simple password change request, Reyes got access to that account as well. Had he been of more nefarious tendencies, he could have easily gleaned the name and address of the account owner, not to mention his or her credit card information. And moreover, if he had the motivation, Reyes could have found his way into the person’s PayPal, Dropbox, Facebook or any other accounts and stolen personal and financial information.
As of now, Google has not said if it has fixed this vulnerability or not. But a commenter on Hacker News pointed out how easy it is to write a script that scans lists of newly expired domains that are linked to Google Apps, meaning that it’s not too hard to imagine black hat hackers turning this loophole into a widespread scam.
