Google has notified hundreds of thousands of domain registrants that their private WHOIS information has been exposed in the clear, opening them up to identity theft, phishing scams and more.
Researchers from Cisco Talos last night said the problem likely lies with one of Google’s registrar partners eNom and affects 94 percent of the 305,925 domains registered through the partnership. (In the image above is a sample before-and-after of a leaked domain record.)
Those affected opted in to a WHOIS privacy protection service offered by eNom called ID Protect which shields a user’s name, physical address, email and other identifiable personal information from public WHOIS listings. Google said in its notification letter that a “software defect” in its Google Apps domain registration system was to blame.
“Due to a software defect in the Google Apps domain renewal system, eNom’s unlisted registration service was not extended when your domain registration was renewed,” read Google’s notification letter.
The defect publicly exposed registration information from the WHOIS directory. And while Google has remediated the issue for eNom Google App customers, the problem is that there are online databases that archive WHOIS information permanently, putting once-private data infinitely at risk.
The issue, Cisco said, was reported Feb 19, and within six days Google had resolved the issue for its eNom customers and put protections in place to prevent similar leaks, according to a timeline published by Cisco. Google sent out its notifications last night at 7 p.m. Eastern time.
Cisco researchers said in 2013, users’ WHOIS information began appearing in the clear once those domains came up for renewal as the privacy protection feature was apparently not carrying over once domains were renewed.
Caught in the wake of the leak are not only legitimate website owners, but also some unsavory types running shady websites. Cisco said a good number of the WHOIS records that were unmasked belong to websites that don’t fare well when it comes to reputation service scores. Some of those sites that have been thrust into the sunshine include federalbureauinvestigations[.]com and hfcbankonline[.]com, Cisco said.
Cisco said in 2013, users’ WHOIS information began appearing in the clear once those domains came up for renewal. via @ThreatpostTweet
“Of course, it is well-known that many WHOIS registration details can easily be forged. In the event that the WHOIS record clearly contains false data, that information can still be used for the sake of threat attribution,” Cisco said.
In the meantime, it’s likely that a good portion of the more than 280,000 WHOIS records leaked belong to legitimate registrants.
“The obvious risk here is that some of these individuals who have been unmasked may now be in some form of danger as a result of their connection with the domain registration, ” Cisco said. “Privacy remains a key issue of concern for individuals and organizations of all sizes. In the case of WHOIS data and privacy protection, it’s clear that there is value in protecting domain registration information from being published given the 94% opt-in rate.”
Image courtesy DomainTools