Ben Reyes's posterous

Do not let your domain expire with Google Apps

If you do, anybody can have access to your account, your emails, passwords, calendar and all of your social network accounts. That might not seem like much but to a social engineer (Black Hat Security) it's a goldmine.

Old expired domains with Google Apps accounts that are picked up by new owners will still have all your data, emails, calendar information, e.t.c attached to that domain. Your email is your root identity online (might argue facebook is, but Facebook still requires an email). So accessing this is a potential gateway to everything especially if you have admin access (HBGary)

Generally speaking though, this intentional design flaw can be exploited with or without Google Apps. And you might ask, what is the harm in someone accessing my old email address? Well if you still have accounts attached to it, a social engineer may use that to dig more information to form an attack.

To sum it up. Don't let your domain expire attached to any form of your identity. Ever. 
[TechCrunch has written a writeup of this post]

 

 

So this all started when I just recently registered for the domain name http://dabble.in, tried to register it on Google Apps

Looks like someone registered the domain. I tweeted in frustration, looking for Google Apps people to solve my issue and remove the domain from existing accounts.

I got a response from a Google employee about how to reclaim the domain on Google apps that's a publicly established way to do so (http://www.google.com/support/a/bin/answer.py?answer=96917).

It involves proving your the domain holder. Okay, sure. I own the domain, that's no problem. Changed a few DNS settings and wait a little while for Google to recognise this. Then boom, I'm in.

Google asks for which administrator I want to login as, and here's where it gets interesting. It lists two people, I have no idea who they are. I pick one at random and pick a new password.

I'm in, and now I'm looking at an inbox with a few years worth of emails that I have no clue who it belongs to.

Now this is my "Holy Crap Moment" I have this person's history. As a proof of concept as how meaningful this is for a "Black Hat Social Engineer" I have full access to this person's emails, calendar, contacts and the ability to pretend to be this person. And can use this information to establish an attack on not only this individual but organisations and others connected with this person in question.

Social Engineering Vulnerabilities focuses on the weak link in computer security architecture, humans. The information in these emails may contain valuable information that might not seem interesting at all but can be used in collection of larger peices information to lay the ground work for an attack.   

Even though this information is dated it is still crazily useful in an attack. And to show you just how useful, I managed to gather this person has registered to Amazon Web Service. Sent a quick password reset request.

Boom, I'm in. Amazon and to be honest most other websites only require an email address identification in order to reclaim your account. Now with Amazon, I now have access to not only their files on AmazonS3 and EC2, including old server config variables I now have a Name, Address/Post code and also the person's last 4 digits on their credit card (which is still valid and hasn't expired).

Now, I've just defeated 2 authentication systems fairly easily, with the first one being legitimate. There's more, around the last 4 digits of a credit card. This is used by others as authentication when you loose your password, for example PayPal. Even though PayPal may ask for additional credentials, if I was an attacker I already have enough information to find out what the answers to this would be.

I'm not going to demonstrate further as I have enough information to contact the individual but if I wanted to I could take it further.

• Access Dropbox and all files
• Access to PayPal
• Access to Facebook
• As an administrator with the ability to access any other email accounts e.g if it's a now defunct company that let their the domain expire, I now have access to all of their empoyees emails, calendars and contact info.

If you have read up on any of the HBGary stuff where "anonymous" attacks the website by gaining enough information to defeat one level of authentication for something that seems isolated, the rest becomes easier to access and attack, especially when you have admin access.

The lesson learned here is if you have a domain name don't let it expire with identities (incl. Google Apps) still associated with it.

 

Update Wednesday 18th May 2011 - Google security team responded to the issue (Thanks to Michael Mahemoff @Google for relaying the issue):

Thanks for contacting us about this topic. Google Apps account ownership is directly linked to domain name ownership. If the domain registration is about to expire, it's up to the Google Apps Administrator to renew the domain or export the data in a timely manner ahead of that expiration. As you indicate in your post, this is true for any type of expired domain — it's not unique to Google Apps.  The easy way to avoid any of this is to make sure your domain is renewed. Many domain registrars offer auto-renewal features as part of their service, and they send reminders before domains are due to expire. Google offers auto-renewal if admins purchase their domain through our enrollment process, and we send warnings several times before these domains are due to expire, as well as after the domain has expired.  We'd appreciate it if you would update your planned post with this additional detail to make clear to users how they can avoid the situation you described. Thanks for working with us.

 It may appear that Google Apps team may have changed their policies due to my contact with them. See hacker news comments for more information (although this is not yet confirmed by Google and unless sliently disabled the recovery via DNS is still being shown as an option [screenshot taken on Thursday 19th May 2011 00:40]). The issue still exists as a wider problem with domains. I still could have accessed the person's Amazon account using a wildcard email address. The lesson is no less serious, don't let your domains expire with your accounts attached to them.

 

Note: Originally written March 19, 2011 at  9:08 AM but I waited for Googles response before publishing (Wednesday 18th May)

----------------------------

Further recommended reading: The Art of Deception by Kevin Mitnick,
A really good book about social engineering with cases on how to defend against different types of attacks (Amazon Affiliate Link)

My contact information is on http://benreyes.com and I'm interested in "Social Engineering"/Social Architecture in the white hat, non-security arena (web products). I'm also currently working on a series of blog posts on Social Psychology for the web.

Follow me on Twitter (@3en)

 

----------------------------

 

• TechCrunch http://techcrunch.com/2011/05/18/security-breach-heres-how-expired-domains-expose-you-to-embarrassment-and-theft/
• Tech News Today (TWiT) 
• Inc. Technology http://technology.inc.com/2011/05/20/expired-domains-pose-hacking-risk p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Arial; color: #1a37ef} span.s1 {text-decoration: underline}

 

15 comments

Leave a comment...