Live by exposure, die by exposure.
It’s a hard lesson — and Google may have just learned it. According to Cisco security researchers, Google has inadvertently leaked the personal details and data of more than 282,000 domains registered through the company's Google Apps for Work service.
The domains were registered through the domain registrar eNom, which charges $6 extra on top of its normal change to hide personal information included in domain name registrations.
That plan seems to have worked well enough until the middle of 2013.
A domain name registrar and Web hosting company, eNom also sells other products closely tied to domain names. WHOIS is its query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name or IP address block.
Here's how the leak occurred, Cisco reported in a blog post:
In mid-2013, a problem occurred that slowly began unmasking the hidden registration information for owners’ domains that had opted into WHOIS privacy protection. These domains all appear to be registered via Google App, using eNom as a registrar. At the time of writing this blog [March], there are 305,925 domains registered via Google’s partnership with eNom. 282,867 domains or roughly 94 percent appear have been affected."
Google claims only domains that were in renewal periods were affected — and only domains that paid extra for enhanced privacy.
The issue was discovered by Cisco’s Talos on Feb. 19. It was reported to Google the same day. Google restored the protections a few days later. Google finally contacted customers last night. That notification was republished on the Cisco blog.
No one likes to see this kind of thing happen, but there is a certain irony about this.
You may recall the hoops that Google put Microsoft through over a second vulnerability that its Project Zero team found in Windows 8.1 last January.
Project Zero is the name of a team of security analysts employed by Google tasked with finding zero-day exploits. It was created last July and headed by Chris Evans, former head of Google’s Chrome security team.
Bugs found by the Project Zero team are reported to the manufacturer and only made publicly once a patch has been released or if 90 days have passed without a patch being released.
In the case of the Windows bug, Microsoft asked Google to wait for Patch Tuesday in January before publicizing the bug. But Google refused. In a response to the refusal, Chris Betz, senior director with Microsoft’s Security Response Center, accused Google of "gotcha" tactics. It’s worth quoting here in full:
Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.
Elsewhere in the blog he called for security researchers and software companies to come together and “not stand divided over important protection strategies”, such as the disclosure of vulnerabilities and the remediation of them.
Google’s current difficulties and Microsoft’s January problems are not quite the same from a technology point of view. The the end result is the same: businesses are leaking data despite their best efforts to protect it. That’s not good.