A flaw in Google's Apps domain renewal system has resulted in the exposure of over 280,000 hidden WHOIS records.
On Thursday, Cisco security researchers reported that a problem in the Google Apps engine, used to renew websites registered through the system, resulted in the public disclosure of 282,867 domain owner records.
The service can be used to purchase and renew domain names from third parties, such as eNom, which have partnered with the tech giant.
When you purchase a new domain name, services will often offer WHOIS record protection -- keeping details such as the domain owner's name, email, phone number and registered address secret. By using WHOIS privacy protection, domain registrants can prevent spam, phishing and potentially tracking by identity thieves from taking place. However, in the case of eNom -- which offers a paid WHOIS protection service and partners with Google -- domains renewed in 2013 which previously opted for the service lost protection.
Cisco says 305,925 eNom domains are currently registered through Google's partnership. In total 282,867 domains, approximately 94 percent of those registered, appear to have been affected by the security flaw. Using a tracker for WHOIS changes, the security team says domains were previously protected, but later WHOIS records were unmasked -- likely at the time of domain renewal.
The bug is serious, not only because customers have paid for such protection, but as eNom's service states:
"In America alone, there are an estimated 9 million cases of identity theft each year and 3 trillion spam emails sent each year. Spammers and thieves can get your information through your domain name's public record. ID Protect keeps your information safe by privatizing your domain's entry in public records."
Cisco discovered the issue on February 19 this year and notified the Google Apps team on the same day. The bug was fixed five days after disclosure and customers were later notified as shown below:
Google says new domains which have not yet faced a renewal period are not affected, and naturally those who have not paid for WHOIS protection will not be impacted.