Obviously, while the email-support method is safe, the automated system for unlocking admin access based on "proof of ownership" is pretty scary! Seems like this could be solved by requiring you to prove ownership and then releasing new auth info to a linked email account on a different domain. That helps to establish both present ownership and a chain of ownership back to the last time you had authorized access and were able to adjust the "emergency email account" setting. It's not perfect, but it's a heck of a lot better.
It also seems to me like someone wanting to abuse this right now could do so pretty easily: you can confirm that a domain is available and that it has had a google Apps account set up in the past before you spend a dime, so you can just set a computer to trawling known Google Apps domain names (e.g., by looking at traffic on large mailing lists) to find ones whose registration has expired.
It's also a cautionary tale of what you leave up on the cloud when you abandon your email account. I could have potentially found a lot more damaging information from gaining access to this persons email.
> This issue is still a serious matter. I would have still been able
> to access the person's Amazon account using a wildcard email
not a legal advice
There does not seem to be any alarming distress in the situation. It has been over 2 months since the incident, I made sure that the person(s) involved was fully aware and of the blog post. No issue was raised about me writing it up and posting it. I also waited for a period of time to hear back from the Google Security Team. I believe I have taken the correct response here.
The practical outcome is that the Crown or People can choose to independently charge you of a crime, regardless of what the actual 'victim' wants.
Of course, IANAL, TINLA.
If you ever find yourself logged into someone else's account log out and, if you absolutely have to reproduce it, reproduce the attack against an account you have legitimate control over. (e.g. Register dummydomain.co, set up a Google apps account tied to it, transfer the domain, regain access to the Google apps account using nothing but the DNS settings to the transfered dummy domain. If this succeeds, you know you can compromise any account linked to a Google Apps email account on an expired domain -- you don't need to commit a federal crime to demonstrate this.)
PS: Under the right circumstances you could still be sued though. Edit: You can also be sued for just about anything so IMO it's somewhat moot.
Now, any person can give any other person an advice on legal matters, as long as the target of the advice is not fooled into thinking that he got the real certified stuff. To stay on the right side of the customs the easiest thing to do is to confess to lack of credentials and make things abundantly clear by directing the other person to the real professional after expressing your initial concern or opinion.
Now, it might seem backwards to you, and you might expect that the default would be "people talk shit all the time, so no one should listen unless the speaker actually provides credentials". This is how it works in most areas, but not all. In particular law and health are two areas where the state saw it fit to go out of the way to protect the least savvy members of society by twisting the default setting the other way around.
Obviously, this is not a legal advice on how to give legal advices, or any other matter.
So someone can give legal advice (English), but say it isn't legal advice (Legalese) and that makes it not legal advice (Legalese).
I use the same disclaimer on websites, in email, over the phone or down at the pub.
I assume the previous owner probably has some mechanism for deleting the accounts that are currently on Google Apps. If that's so, then it seems reasonable that it's their responsibility to do so.
(An attacker could buy the domain name and set up a page at your OpenID URL which would delegate the OpenID to something under their control.)
This is probably related to why google isn't able to move an apps account to a new domain (our real domain is just an alias to our google apps account on previous company name's domain).
For example, if you have foo.com as your Google Apps domain, and you have foo.us as an extra domain that was aliased but then expired, does that expose the foo.com Google Apps account?
The owner of the domain name should be able to create a brand-new Google Apps account for it. Recovering access to an account should be done through another channel (secondary email address, SMS, postal mail).
An admin of the old apps instance should be able to get into it to access data, delete it, or attach it to a different domain name.
In addition, password resets via email requested at domains having the whois creation date after the account creation date should probably be disabled.
Seems like if you are trying to reclaim a domain then requiring the user to verify access to their "backup" email address could be a simple step that would help a lot.
In addition, expired domains purchased by someone else won't be usable with Google Apps.
I am curious why you did not mention whether there is an option to simply delete your Google Apps account before letting the domain expire?
That said, a warning message on login would be nice. They could check the whois records on initial registration to see when the domain is due to expire, and verify that (in case it has been extended) before giving a warning.
There is an easy way to detect a domain expiring that would stop accidental access to data like this by new domain owners. IIRC on signup for Google's apps you add a TXT record to the domain to prove that you control it - if a domain is expired and renewed by someone else then this TXT record will be gone. Again there is no need to check on every login, just when the domain is due to have expired. Of course this does not protect against intentional access, as the TXT record could be remembered and re-entered by the attacker if they are registering the name specifically to get access to the data on accounts like Google apps.