Google Apps bug exposes some users' personal info

A defect in Google's business software exposed e-mail addresses, mailing addresses and phone numbers of some users, making them potentially vulnerable to phishing schemes.

Don Reisinger
CNET contributor Don Reisinger is a technology columnist who has covered everything from HDTVs to computers to Flowbee Haircut Systems. Besides his work with CNET, Don's work has been featured in a variety of other publications including PC World and a host of Ziff-Davis publications.
Don Reisinger
3 min read

A look at the timeline for the Google Apps bug resolution. The glitch in Google's business software exposed some users' personal information for nearly two years. Cisco Talos

A set of Google software and tools for businesses exposed some users' personal information for nearly two years, despite those users opting to keep the data private, security researchers said Thursday.

Google Apps for Work is a collection of Google's online services like Gmail and Calendar that have been tailored for businesses. It includes a version of Google Domains, a service like GoDaddy that lets users buy website URLs and set up email addresses with company-specific domain names, such as janedoe@yourbusiness.com.

Users who register a domain through Google Apps for Work can opt to keep registration info -- including names, addresses, phone numbers and e-mail addresses -- hidden. (Such data is normally public by default, in a domain-name database called Whois that's required by the Web's governing body, ICANN.) But a defect in the Google Apps product meant that when users who had opted for privacy renewed their registration, the privacy request fell by the wayside. What's worse, despite a fix that returned the domains to their previous private status, Google's bug likely caused the personal information to be left on the Internet for good.

The bug left information exposed from mid-2013 till just a few weeks ago, according to a blog post by the Talos Security Intelligence and Research Group. Talos -- associated with Cisco Systems, a maker of computer networking gear -- said that out of the 306,000 Google Apps for Work site owners who chose to go anonymous, 94 percent (more than 280,000 domains) could have been affected. Domains that weren't renewed or that had been registered within the last year were not affected.

The issue is a potentially major one for Google and the people requesting private domains. The reasons for hiding domain information are numerous, ranging from simply desiring more privacy to safeguarding against phishing or other scams. (Phishing is an attempt to acquire a user's personal information by sending an e-mail masquerading as a trustworthy source.) Google Apps for Work used a third-party privacy provider called eNom that lets users anonymize their personal information for about $6 per year. On the company's site, eNom argues that all sites should be anonymized to protect against identity theft and spam e-mails.

In its blog post, Talos also mentioned the risk of publicly available info. "Threat actors may use domain-registration information for malicious purposes," it said. "For example, sending targeted spear phish emails containing the victim's name, address, and phone number to make the phish seem even more authentic."

Talos also said the leaked Google Domains info "will be available permanently, as a number of services keep Whois information archived."

A Google spokesman confirmed to CNET on Friday that a bug was discovered by Talos and subsequently addressed.

"A security researcher recently reported a defect via our Vulnerability Rewards Program affecting Google Apps' integration with the eNom domain registration API," the spokesman said. "We identified the root cause, made the appropriate fixes, and communicated this with affected Apps customers. We apologize for any issues this may have caused."

According to Google, the affected domains are now back to being private and the issue will not affect any customer renewals in the months ahead. Google was also quick to point out that the data leak was limited solely to the domain-registration information and nothing stored in Google Apps.