If you want to figure out who owns a website, it’s pretty easy: You simply punch the URL into a “whois” database, and up pops the info of the person who registered that domain. Unless, of course, that person has paid their hosting service extra so that you can’t find out who they are.
Yesterday, a group of security researchers from Cisco revealed that Google had been slowly de-anonymizing its customers who were buying domain names through Google. Due to a problem with the way Google’s system interacted with the third party registrar service eNom, customers for whom identity protection is a part of the “Google App” services were not, in fact, given that protection.
Of Google’s 305,925 customers registered with eNom, 282,867 have had their records sitting out in the open since 2013, including names, email addresses and phone numbers.
Google gave this statement to the Observer:
A security researcher recently reported a defect via our Vulnerability Rewards Program affecting Google Apps’ integration with the Enom domain registration API. We identified the root cause, made the appropriate fixes, and we’re communicating with affected Apps customers. We apologize for any issues this may have caused.
Since the problem was reported to Google’s vulnerability rewards program, they’ve been reaching out to customers, fixing the bugs, and putting every affects account back under the cloak of anonymity.
Kudos to Craig Williams of the Talos team at Cisco, who is—given the reward amounts for letting Google know about flaws in their services—likely thousands of dollars richer.