
Do not let your domain expire with Google Apps - benreyes
http://benreyes.posterous.com/do-not-let-your-domain-expire-with-google-app
======
kwantam
A few weeks ago I tried to register Google Apps on a domain I purchased, and
found that it'd already been registered by someone else. I sent an email to
the support team explaining that there was a previous account and that I was
the new owner, and upon proving that the domain was now mine they deleted the
old account and had me start anew.

Obviously, while the email-support method is safe, the automated system for
unlocking admin access based on "proof of ownership" is pretty scary! Seems
like this could be solved by requiring you to prove ownership and then
releasing new auth info to a linked email account on a different domain. That
helps to establish both present ownership and a chain of ownership back to the
last time you had authorized access and were able to adjust the "emergency
email account" setting. It's not perfect, but it's a heck of a lot better.

It also seems to me like someone wanting to abuse this right now could do so
pretty easily: you can confirm that a domain is available and that it has had
a google Apps account set up in the past before you spend a dime, so you can
just set a computer to trawling known Google Apps domain names (e.g., by
looking at traffic on large mailing lists) to find ones whose registration has
expired.

------
joshfraser
It sounds like Google have changed their policies on this. Just a few months
ago I was caught on the other side of this issue. Basically I bought a domain
and wasn't able to get Google Apps set up because someone else had used it in
the past. Here's the full story:
[http://www.onlineaspect.com/2010/11/12/issues_with_google_ap...](http://www.onlineaspect.com/2010/11/12/issues_with_google_apps/)

~~~
benreyes
Thanks JoshFraser, I have appended a note to the blog post to check your
comment on here. Although the Google Apps team may have altered their policies
according to my blog post which I contacted them about 2 months ago. This
issue is still a serious matter. I would have still been able to access the
person's Amazon account using a wildcard email address. Although it does
lessen the blow if a social engineer takes a hold of your domain as they might
not be able to get into your GMAIL, but the real lesson here is you shouldn't
let your domains expire with any form of identity or online accounts still
attached to them.

It's also a cautionary tale of what you leave up on the cloud when you abandon
your email account. I could have potentially found a lot more damaging
information from gaining access to this persons email.

~~~
pyre

      > This issue is still a serious matter. I would have still been able
      > to access the person's Amazon account using a wildcard email
      > address.
    

That's just a general 'loss of domain' issue. It would also be much harder.
This Google Apps issue allows you to exploit everyone using that domain
without any prior knowledge. Without access to the previous Google Apps
accounts, you would have to be specifically targetting someone. (Note: This is
the same for any service similar to Google Apps.)

------
megamark16
It took me about 10 minutes to write a python script that grabs a list of
recently expired domains and checks each domain to see if it's a valid Google
Apps domain. This is a pretty serious issue, if indeed it's still possible to
take ownership of accounts as the article suggests. Hopefully Google has added
some mitigating steps to keep this sort of thing from happening.

~~~
DenisM
How do you verify if a domain has a google apps account? I actually need this
for a different, legitimate purpose.

~~~
megamark16
The off the cuff way I was doing it was to go to
<https://mail.google.com/a/DOMAIN_NAME/> and see if I get a login screen or an
error saying that the domain wasn't using google apps.

~~~
DenisM
I see. Some domains use SAML authentication, so it doesn't work as well for
them. E.g. uw.edu

------
larrys
I want to point out that as a ICANN registrar not a day goes by where some
tech person working on behalf of a customer will contact us and request an
auth code to transfer out a domain name. Just like that. As if we will send
one to anyone that asks. Later when the customer makes the request many times
the domain ends up at another registrar in the name of the tech person, isp,
web designer etc. who has been told they need to be able to login and make
changes. The name subsequently is deleted for non-payment (customer isn't
notified and invoice goes to new contact) and they loose control of their
domain.

------
DenisM
You have likely broken the law by accessing that Amazon account which was not
yours, and now you blog about it. It might be a good idea to talk to a lawyer.

not a legal advice

~~~
benreyes
I accessed the person(s) amazon account to find contact information. They are
now fully aware that I accessed the account as I left a voicemail. I offered
full access to the GMAIL account and gave the password on the Amazon account
so it could be shut it down and alert amazon who could also further do a full
audit of what I accessed.

There does not seem to be any alarming distress in the situation. It has been
over 2 months since the incident, I made sure that the person(s) involved was
fully aware and of the blog post. No issue was raised about me writing it up
and posting it. I also waited for a period of time to hear back from the
Google Security Team. I believe I have taken the correct response here.

~~~
jacques_chester
The philosophical nature of criminal law in common law countries is that
offences against a person are offences against the Crown or People (depending
on your jurisdiction).

The practical outcome is that the Crown or People can choose to independently
charge you of a crime, regardless of what the actual 'victim' wants.

Be careful.

Of course, IANAL, TINLA.

------
giberson
While it may add an extra step on their end process wise, it seems like the
obvious solution to this matter is to simply enact a policy such that if
domain ownership changes hand the associated accounts are reset unless a
signed transfer of ownership and proof of identity is provided by the original
owner.

~~~
jacques_chester
Everything I've ever read about Google's customer support infrastructure is
that they don't "do" person-to-person transactions. Hardcopy? You must be
joking.

~~~
giberson
I was simply supplying what a solution was--which has nothing to do with
Google's likelihood to implement it.

------
hackount
Making sure to renew your domain name is a good solution if you actually want
to keep your domain. But what if you are done with that domain, and purposely
let it expire? Is there a way to delete your Google Apps account entirely
before letting the domain name expire, so the next person to register that
domain can start from scratch with Google Apps, as if that domain had never
been used before?

~~~
lmok
There is an option in the Google Apps cpanel: "Delete Google Apps for
mintcake.com". Underneath which it reads: "You can close your Google Apps
account and delete all user accounts and data associated with it." It's in
Domain settings > Account information.

------
a3_nm
Notice that you will have the same kind of trouble if you're using OpenID on
your own domain and let it expire...

(An attacker could buy the domain name and set up a page at your OpenID URL
which would delegate the OpenID to something under their control.)

------
kevinpet
Google's problem isn't in their authentication, it's in the whole idea that
having a domain name now means I should have access to the previous google
apps account. They're separate entities.

This is probably related to why google isn't able to move an apps account to a
new domain (our real domain is just an alias to our google apps account on
previous company name's domain).

------
zacharypinter
Any idea if this applies for a domain that's an alias to your primary domain?

For example, if you have foo.com as your Google Apps domain, and you have
foo.us as an extra domain that was aliased but then expired, does that expose
the foo.com Google Apps account?

~~~
pyre
If Google Apps doesn't know about foo.us, then I think that answer would be
no. (Though I would confirm this with someone more knowledgeable)

~~~
pasbesoin
I haven't used the alias feature, myself, but I believe the grand parent post
is asking about a circumstance where your Google Apps account specifically
_does_ know about and supports the second domain (as an alias).

~~~
zacharypinter
Exactly. Thanks for clarifying :)

------
btucker
Any thoughts on how Google could prevent this? Seems important they provide a
way to reclaim domains.

~~~
Sidnicious
I think that the trust model for Google Apps account recovery is wrong. The
domain name is a separate asset from the Apps account and the data in it.

The owner of the domain name should be able to create a brand-new Google Apps
account for it. Recovering access to an account should be done through another
channel (secondary email address, SMS, postal mail).

~~~
vladd
This isn't practical since any Apps admin account has by definition access to
modify/reset all regular accounts belonging to that company/domain, so if you
don't use things like wipeouts upon whois creation date modifications, the
potential to expose a lot of private data from the former owner still exists.

~~~
Sidnicious
Maybe “account” is the wrong word. I think that the domain’s owner should be
able to create an entirely new “instance” of Google Apps (with separate users
and separate data), whereupon the old instance would be detached from domain.

An admin of the old apps instance should be able to get into it to access
data, delete it, or attach it to a different domain name.

------
cwb71
Thanks for pointing out this issue, Ben.

I am curious why you did not mention whether there is an option to simply
delete your Google Apps account before letting the domain expire?

------
tallanvor
I originally registered one of my primary domains through Google, but I
transferred the domain to my primary registrar before I had to renew it.
--Back then there were some problems with people not being able to renew some
domains and running into problems as a result.

------
steveh73
You did not completely censor the last screenshot.

------
ltamake
Google should remind you that your domain is expiring and offer to switch to a
regular account or clear your data.

~~~
dspillett
Is it really Google's responsibility though? You'll already be getting emails
from your registrar telling you that the domain is about to expire. And it
isn't just Google, any service that is linked to another account/service in
this way would be vulnerable, so the headline should be "don't let X expire
while you have important stuff in Y that can be accessed through it".

That said, a warning message on login would be nice. They could check the
whois records on initial registration to see when the domain is due to expire,
and verify that (in case it has been extended) before giving a warning.

There is an easy way to detect a domain expiring that would stop accidental
access to data like this by new domain owners. IIRC on signup for Google's
apps you add a TXT record to the domain to prove that you control it - if a
domain is expired and renewed by someone else then this TXT record will be
gone. Again there is no need to check on every login, just when the domain is
due to have expired. Of course this does not protect against intentional
access, as the TXT record could be remembered and re-entered by the attacker
if they are registering the name specifically to get access to the data on
accounts like Google apps.

------
brackin
Great post ben i'm amazed this can happen with such ease.

