Google privacy breach caused by a software defect

Expert at Cisco discovered a privacy breach caused by a software problem, which exposed personal information of users that opted for privacy setting.

A software problem occurred at Google have exposed personal information of users that registered their website and had chosen to keep their profile private.

The flaw affected the whois database that contains contact information for people who’ve purchased a domain. It is known that people that acquires a domain could request to keep their information private by paying an extra fee.

The incident was discovered by Craig Williams, senior technical leader for Cisco’s Talos research group, which reported the issue to Google that in about six days fixed the issue.

The leaked data could be used by criminal crews to run targeted phishing attack. According data provided by Cisco in a blog post,  282,867 domains were affected by the privacy breach.

[cybercriminals are] “going to have the right website name, the right name, the right address, the right phone number, the right email,” Williams said.

The expert noticed that privacy settings for domain names registered through the Google partner eNom were being turned in the renewal phase, starting around mid-2013.

“In mid-2013, a problem occurred that slowly began unmasking the hidden registration information for owners’ domains that had opted into WHOIS privacy protection. These domains all appear to be registered via Google App], using eNom as a registrar. At the time of writing this blog, there are 305,925 domains registered via Google’s partnership with eNom. 282,867 domains, or roughly 94% appear have been affected.” state a blog post published by Cisco on the privacy breach.

In the following graphic is illustrated the peak in domains utilizing privacy protection (dark green), in light green is represented the domains with WHOIS information exposed. The grey circle indicates when the problem occurred.

Google  confirmed that a “software defect” is the root of the problem.

As explained by Williams a lot of organizations and security companies constantly monitor changes to whois records. Whois information is considered useless since it’s either set to private or is simply fake. Criminal organizations use to buy domains by using stolen personal information or by entering bogus data.

Security firms constantly monitor this data because they can help track malware campaigns, as explained by Williams, in many cases cyber criminals reuse the bogus information.

“There are legitimate reasons to track whois information,” he said.

Thanks to the monitoring activity, experts at Cisco Talos have already identified many affected domains that they have linked to malicious activity.

“Cisco Talos has already identified many affected domains that we have linked to malicious activity. For example, looking at some of the unmasked domains possessing very poor web reputation scores, we can see several potential threat actors who might have some ‘splaining to do. “

A privacy breach is probably one of the most serious incident that can occur today. We must carefully consider our exposure to the threats, and limit surface of attack also by acting with privacy settings of the services and application we daily use.

Pierluigi Paganini

(Security Affairs –  Google, Privacy Breach)