Hacker News new | past | comments | ask | show | jobs | submit login
Do not let your domain expire with Google Apps (benreyes.posterous.com)
281 points by benreyes on May 18, 2011 | hide | past | web | favorite | 63 comments

A few weeks ago I tried to register Google Apps on a domain I purchased, and found that it'd already been registered by someone else. I sent an email to the support team explaining that there was a previous account and that I was the new owner, and upon proving that the domain was now mine they deleted the old account and had me start anew.

Obviously, while the email-support method is safe, the automated system for unlocking admin access based on "proof of ownership" is pretty scary! Seems like this could be solved by requiring you to prove ownership and then releasing new auth info to a linked email account on a different domain. That helps to establish both present ownership and a chain of ownership back to the last time you had authorized access and were able to adjust the "emergency email account" setting. It's not perfect, but it's a heck of a lot better.

It also seems to me like someone wanting to abuse this right now could do so pretty easily: you can confirm that a domain is available and that it has had a google Apps account set up in the past before you spend a dime, so you can just set a computer to trawling known Google Apps domain names (e.g., by looking at traffic on large mailing lists) to find ones whose registration has expired.

It sounds like Google have changed their policies on this. Just a few months ago I was caught on the other side of this issue. Basically I bought a domain and wasn't able to get Google Apps set up because someone else had used it in the past. Here's the full story: http://www.onlineaspect.com/2010/11/12/issues_with_google_ap...

Thanks JoshFraser, I have appended a note to the blog post to check your comment on here. Although the Google Apps team may have altered their policies according to my blog post which I contacted them about 2 months ago. This issue is still a serious matter. I would have still been able to access the person's Amazon account using a wildcard email address. Although it does lessen the blow if a social engineer takes a hold of your domain as they might not be able to get into your GMAIL, but the real lesson here is you shouldn't let your domains expire with any form of identity or online accounts still attached to them.

It's also a cautionary tale of what you leave up on the cloud when you abandon your email account. I could have potentially found a lot more damaging information from gaining access to this persons email.

  > This issue is still a serious matter. I would have still been able
  > to access the person's Amazon account using a wildcard email
  > address.
That's just a general 'loss of domain' issue. It would also be much harder. This Google Apps issue allows you to exploit everyone using that domain without any prior knowledge. Without access to the previous Google Apps accounts, you would have to be specifically targetting someone. (Note: This is the same for any service similar to Google Apps.)

It took me about 10 minutes to write a python script that grabs a list of recently expired domains and checks each domain to see if it's a valid Google Apps domain. This is a pretty serious issue, if indeed it's still possible to take ownership of accounts as the article suggests. Hopefully Google has added some mitigating steps to keep this sort of thing from happening.

How do you verify if a domain has a google apps account? I actually need this for a different, legitimate purpose.

The off the cuff way I was doing it was to go to https://mail.google.com/a/DOMAIN_NAME/ and see if I get a login screen or an error saying that the domain wasn't using google apps.

I see. Some domains use SAML authentication, so it doesn't work as well for them. E.g. uw.edu

arbuz1.ru baka-club.ru infame.ru puzkarapuz.ru luxury-institute.ru khrip-time.ru oilgasservice.ru voxtelecom.ru skippy.ru relaxpnz.ru kupi-proektor.ru akr-komanda.ru madamfurne.ru instaforgeg.ru oblomfilm.ru cmt-mitishi.ru 2mq.ru 4low.ru obzori.ru 2v4.ru tvfreak.ru concurent-vrn.ru baztv.su de-ti.ru autokg.ru kovgok.ru briztur.ru all-rest.ru opti-pro.ru infomarker.ru smartcities.ru stroystudio.ru instrumentnn.ru ontam.su beage.ru eds63.ru klint.ru moda1.ru otwod.ru nonic.ru pl110.ru apk-vs.ru mirrpg.ru sement.ru 1078fm.ru animirk.ru bigbear.ru dudusya.ru emiflex.ru odp-spb.ru




I want to point out that as a ICANN registrar not a day goes by where some tech person working on behalf of a customer will contact us and request an auth code to transfer out a domain name. Just like that. As if we will send one to anyone that asks. Later when the customer makes the request many times the domain ends up at another registrar in the name of the tech person, isp, web designer etc. who has been told they need to be able to login and make changes. The name subsequently is deleted for non-payment (customer isn't notified and invoice goes to new contact) and they loose control of their domain.

You have likely broken the law by accessing that Amazon account which was not yours, and now you blog about it. It might be a good idea to talk to a lawyer.

not a legal advice

I accessed the person(s) amazon account to find contact information. They are now fully aware that I accessed the account as I left a voicemail. I offered full access to the GMAIL account and gave the password on the Amazon account so it could be shut it down and alert amazon who could also further do a full audit of what I accessed.

There does not seem to be any alarming distress in the situation. It has been over 2 months since the incident, I made sure that the person(s) involved was fully aware and of the blog post. No issue was raised about me writing it up and posting it. I also waited for a period of time to hear back from the Google Security Team. I believe I have taken the correct response here.

The philosophical nature of criminal law in common law countries is that offences against a person are offences against the Crown or People (depending on your jurisdiction).

The practical outcome is that the Crown or People can choose to independently charge you of a crime, regardless of what the actual 'victim' wants.

Be careful.

Of course, IANAL, TINLA.

There was no need to notify the owner of the issue. If your intentions were honest, as I'm sure they were, then just delete the information. You don't need to break into the amazon account to notify anyone since the information wasn't public and you weren't going to do anything malicious with it.

Good idea to talk to a lawyer? I'd wait until you're actually sued before wasting your time and money worrying about something so stupid. Most people aren't going to sue you if explain what you did (and why) and it's obvious you had genuine intentions.

Danger Will Robinson! Danger! As anybody who has recently decided to browse Sarah Palin's email can tell you, accessing a computer system to which one does not have legitimate access to with genuine intentions is still a federal crime and "It was easy to do!" is not a defense.

If you ever find yourself logged into someone else's account log out and, if you absolutely have to reproduce it, reproduce the attack against an account you have legitimate control over. (e.g. Register dummydomain.co, set up a Google apps account tied to it, transfer the domain, regain access to the Google apps account using nothing but the DNS settings to the transfered dummy domain. If this succeeds, you know you can compromise any account linked to a Google Apps email account on an expired domain -- you don't need to commit a federal crime to demonstrate this.)

Don't take this as legal advice, but there is such a thing as mitigating circumstances. Your suggested approach leaves a gaping security hole open for a fairly long time before anything happens. Also, simply logging in once and doing nothing to verify a new security breach is vary different then browsing info. It's like noticing a door was left slightly open yelling your doors open and if nobody answers and closing but not locking it. Technically you broke the law, but a prosecutor is unlikely to win a case so they will probably just drop it.

PS: Under the right circumstances you could still be sued though. Edit: You can also be sued for just about anything so IMO it's somewhat moot.

Personally, I think that's naive. There are a lot of people that will overreact in the extreme. Especially since they've been caught with their pants down (even though they haven't been specifically outed by name).

Bring a law suit against someone requires, in general, damages or some loss. Not to mention a retainer. Getting a prosecutor to enforce a law when there is essentially no harm would be next to impossible. If a law was broken.

it sure sounds like legal advice. does saying it isn't legal advice make it true?

Without the disclaimer, in some jurisdictions the post could be interpreted as unauthorized or inappropriate practice of law. http://en.wikipedia.org/wiki/IANAL

so someone can give legal advice, but say it isn't legal advice, and that makes it not legal advice?

A real "legal advice" is a professional advice, as is ascertained by the board, which gave license to the person (lawyer), who is qualified to dispense such legal advice. Giving a "legal advice" when the giver is not licensed to give such advice is dangerous to public interest, and is discouraged through laws and customs.

Now, any person can give any other person an advice on legal matters, as long as the target of the advice is not fooled into thinking that he got the real certified stuff. To stay on the right side of the customs the easiest thing to do is to confess to lack of credentials and make things abundantly clear by directing the other person to the real professional after expressing your initial concern or opinion.

Now, it might seem backwards to you, and you might expect that the default would be "people talk shit all the time, so no one should listen unless the speaker actually provides credentials". This is how it works in most areas, but not all. In particular law and health are two areas where the state saw it fit to go out of the way to protect the least savvy members of society by twisting the default setting the other way around.

Obviously, this is not a legal advice on how to give legal advices, or any other matter.

IANAL, but I think that in this context "legal advice" has a meaning beyond the English one. It is also used to indicate an attorney-client relationship and the associated liability and confidentiality.

So someone can give legal advice (English), but say it isn't legal advice (Legalese) and that makes it not legal advice (Legalese).

The main reason for IANAL, TINLA is that lawyers have attorney's immunity, and joe shmoe does not. If somebody relies on my opinion as if it is legal advice and from the circumstances it looks like legal advice, I can be in deep poop if the advice was wrong.

You can say shit on the internet.

I see your point. The law does not.

I use the same disclaimer on websites, in email, over the phone or down at the pub.

I meant literally the word "shit". Your point is completely valid.

Well shit.

While it may add an extra step on their end process wise, it seems like the obvious solution to this matter is to simply enact a policy such that if domain ownership changes hand the associated accounts are reset unless a signed transfer of ownership and proof of identity is provided by the original owner.

That sounds like an awful idea. If you update your Whois information all of a sudden all your Google Apps data gets deleted? I'd be furious.

I hadn't considered the case of updating whois information. However, to resolve that issue I'd simply provide a mechanism where you could flag your account as pending an authorized whois update. Then, when the whois is updated, google would not take any action since the update was pre-approved by yourself.

That's still about the worst way to handle it. A change in one unrelated area can completely wipe out services in another. Just to protect against the edge case that you didn't delete your account, want to keep your data protected and let your domain expire and be registered by someone else. Don't hurt legit customers to protect a fool.

I suspect the real problem here is that identifying when ownership has changed is pretty much impossible unless you are the registrar. Assuming you could even fetch them (they probably are rate limited) the whois record could change without indicating an ownership change or even the DNS could change without indicating an ownership change. Also, even if there was no change in these records, the owner might have changed. The new owner, if an attacker, could put the same data into the whois record and use the same DNS records. The domain may never even "expire" officially with some registrars letting a new owner grab a domain before the official expiration drop.

I assume the previous owner probably has some mechanism for deleting the accounts that are currently on Google Apps. If that's so, then it seems reasonable that it's their responsibility to do so.

Everything I've ever read about Google's customer support infrastructure is that they don't "do" person-to-person transactions. Hardcopy? You must be joking.

I was simply supplying what a solution was--which has nothing to do with Google's likelihood to implement it.

That seems to square with my experience. Google Apps is free for nonprofits up to 3000 users, though they start you out with something like 100. I hit the "request more users" button and I was up to 500 almost instantly (though it said "we'll get back to you" after I hit the button.

Making sure to renew your domain name is a good solution if you actually want to keep your domain. But what if you are done with that domain, and purposely let it expire? Is there a way to delete your Google Apps account entirely before letting the domain name expire, so the next person to register that domain can start from scratch with Google Apps, as if that domain had never been used before?

There is an option in the Google Apps cpanel: "Delete Google Apps for mintcake.com". Underneath which it reads: "You can close your Google Apps account and delete all user accounts and data associated with it." It's in Domain settings > Account information.

Notice that you will have the same kind of trouble if you're using OpenID on your own domain and let it expire...

(An attacker could buy the domain name and set up a page at your OpenID URL which would delegate the OpenID to something under their control.)

Google's problem isn't in their authentication, it's in the whole idea that having a domain name now means I should have access to the previous google apps account. They're separate entities.

This is probably related to why google isn't able to move an apps account to a new domain (our real domain is just an alias to our google apps account on previous company name's domain).

Any idea if this applies for a domain that's an alias to your primary domain?

For example, if you have foo.com as your Google Apps domain, and you have foo.us as an extra domain that was aliased but then expired, does that expose the foo.com Google Apps account?

If Google Apps doesn't know about foo.us, then I think that answer would be no. (Though I would confirm this with someone more knowledgeable)

I haven't used the alias feature, myself, but I believe the grand parent post is asking about a circumstance where your Google Apps account specifically does know about and supports the second domain (as an alias).

Exactly. Thanks for clarifying :)

Any thoughts on how Google could prevent this? Seems important they provide a way to reclaim domains.

I think that the trust model for Google Apps account recovery is wrong. The domain name is a separate asset from the Apps account and the data in it.

The owner of the domain name should be able to create a brand-new Google Apps account for it. Recovering access to an account should be done through another channel (secondary email address, SMS, postal mail).

This isn't practical since any Apps admin account has by definition access to modify/reset all regular accounts belonging to that company/domain, so if you don't use things like wipeouts upon whois creation date modifications, the potential to expose a lot of private data from the former owner still exists.

Maybe “account” is the wrong word. I think that the domain’s owner should be able to create an entirely new “instance” of Google Apps (with separate users and separate data), whereupon the old instance would be detached from domain.

An admin of the old apps instance should be able to get into it to access data, delete it, or attach it to a different domain name.

When a domain is being reclaimed by someone signed into a different Google Account than the previous admins, check if the domain's whois creation date has changed, and if so, make it mandatory to wipe out the data previously associated with the domain before continuing.

In addition, password resets via email requested at domains having the whois creation date after the account creation date should probably be disabled.

Google could ask for the password of the old account. If the user gets it correct within x tries, restore the data. If not, start anew.

Google has been pretty strong on encouraging users to enter a "backup" email address. At least, on 4 different gmail accounts it pestered me mercilessly until I gave it one.

Seems like if you are trying to reclaim a domain then requiring the user to verify access to their "backup" email address could be a simple step that would help a lot.

Require a phone number and send SMS for accessing domains which have previously expired.

That won't work for existing customers since requiring a phone number must be done when initially signing up.

In addition, expired domains purchased by someone else won't be usable with Google Apps.

Thanks for pointing out this issue, Ben.

I am curious why you did not mention whether there is an option to simply delete your Google Apps account before letting the domain expire?

I originally registered one of my primary domains through Google, but I transferred the domain to my primary registrar before I had to renew it. --Back then there were some problems with people not being able to renew some domains and running into problems as a result.

You did not completely censor the last screenshot.

Google should remind you that your domain is expiring and offer to switch to a regular account or clear your data.

Is it really Google's responsibility though? You'll already be getting emails from your registrar telling you that the domain is about to expire. And it isn't just Google, any service that is linked to another account/service in this way would be vulnerable, so the headline should be "don't let X expire while you have important stuff in Y that can be accessed through it".

That said, a warning message on login would be nice. They could check the whois records on initial registration to see when the domain is due to expire, and verify that (in case it has been extended) before giving a warning.

There is an easy way to detect a domain expiring that would stop accidental access to data like this by new domain owners. IIRC on signup for Google's apps you add a TXT record to the domain to prove that you control it - if a domain is expired and renewed by someone else then this TXT record will be gone. Again there is no need to check on every login, just when the domain is due to have expired. Of course this does not protect against intentional access, as the TXT record could be remembered and re-entered by the attacker if they are registering the name specifically to get access to the data on accounts like Google apps.

Great post ben i'm amazed this can happen with such ease.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact