Do not let your domain expire with Google Apps (opens in new tab)

Thanks JoshFraser, I have appended a note to the blog post to check your comment on here. Although the Google Apps team may have altered their policies according to my blog post which I contacted them about 2 months ago. This issue is still a serious matter. I would have still been able to access the person's Amazon account using a wildcard email address. Although it does lessen the blow if a social engineer takes a hold of your domain as they might not be able to get into your GMAIL, but the real lesson here is you shouldn't let your domains expire with any form of identity or online accounts still attached to them.

It's also a cautionary tale of what you leave up on the cloud when you abandon your email account. I could have potentially found a lot more damaging information from gaining access to this persons email.

How do you verify if a domain has a google apps account? I actually need this for a different, legitimate purpose.

arbuz1.ru baka-club.ru infame.ru puzkarapuz.ru luxury-institute.ru khrip-time.ru oilgasservice.ru voxtelecom.ru skippy.ru relaxpnz.ru kupi-proektor.ru akr-komanda.ru madamfurne.ru instaforgeg.ru oblomfilm.ru cmt-mitishi.ru 2mq.ru 4low.ru obzori.ru 2v4.ru tvfreak.ru concurent-vrn.ru baztv.su de-ti.ru autokg.ru kovgok.ru briztur.ru all-rest.ru opti-pro.ru infomarker.ru smartcities.ru stroystudio.ru instrumentnn.ru ontam.su beage.ru eds63.ru klint.ru moda1.ru otwod.ru nonic.ru pl110.ru apk-vs.ru mirrpg.ru sement.ru 1078fm.ru animirk.ru bigbear.ru dudusya.ru emiflex.ru odp-spb.ru

tltbutik.ru

123

sad

I accessed the person(s) amazon account to find contact information. They are now fully aware that I accessed the account as I left a voicemail. I offered full access to the GMAIL account and gave the password on the Amazon account so it could be shut it down and alert amazon who could also further do a full audit of what I accessed.

There does not seem to be any alarming distress in the situation. It has been over 2 months since the incident, I made sure that the person(s) involved was fully aware and of the blog post. No issue was raised about me writing it up and posting it. I also waited for a period of time to hear back from the Google Security Team. I believe I have taken the correct response here.

Good idea to talk to a lawyer? I'd wait until you're actually sued before wasting your time and money worrying about something so stupid. Most people aren't going to sue you if explain what you did (and why) and it's obvious you had genuine intentions.

Bring a law suit against someone requires, in general, damages or some loss. Not to mention a retainer. Getting a prosecutor to enforce a law when there is essentially no harm would be next to impossible. If a law was broken.

it sure sounds like legal advice. does saying it isn't legal advice make it true?

That sounds like an awful idea. If you update your Whois information all of a sudden all your Google Apps data gets deleted? I'd be furious.

I suspect the real problem here is that identifying when ownership has changed is pretty much impossible unless you are the registrar. Assuming you could even fetch them (they probably are rate limited) the whois record could change without indicating an ownership change or even the DNS could change without indicating an ownership change. Also, even if there was no change in these records, the owner might have changed. The new owner, if an attacker, could put the same data into the whois record and use the same DNS records. The domain may never even "expire" officially with some registrars letting a new owner grab a domain before the official expiration drop.

I assume the previous owner probably has some mechanism for deleting the accounts that are currently on Google Apps. If that's so, then it seems reasonable that it's their responsibility to do so.

Everything I've ever read about Google's customer support infrastructure is that they don't "do" person-to-person transactions. Hardcopy? You must be joking.

There is an option in the Google Apps cpanel: "Delete Google Apps for mintcake.com". Underneath which it reads: "You can close your Google Apps account and delete all user accounts and data associated with it." It's in Domain settings > Account information.

If Google Apps doesn't know about foo.us, then I think that answer would be no. (Though I would confirm this with someone more knowledgeable)

I think that the trust model for Google Apps account recovery is wrong. The domain name is a separate asset from the Apps account and the data in it.

The owner of the domain name should be able to create a brand-new Google Apps account for it. Recovering access to an account should be done through another channel (secondary email address, SMS, postal mail).

When a domain is being reclaimed by someone signed into a different Google Account than the previous admins, check if the domain's whois creation date has changed, and if so, make it mandatory to wipe out the data previously associated with the domain before continuing.

In addition, password resets via email requested at domains having the whois creation date after the account creation date should probably be disabled.

Google could ask for the password of the old account. If the user gets it correct within x tries, restore the data. If not, start anew.

Google has been pretty strong on encouraging users to enter a "backup" email address. At least, on 4 different gmail accounts it pestered me mercilessly until I gave it one.

Seems like if you are trying to reclaim a domain then requiring the user to verify access to their "backup" email address could be a simple step that would help a lot.

Require a phone number and send SMS for accessing domains which have previously expired.

Is it really Google's responsibility though? You'll already be getting emails from your registrar telling you that the domain is about to expire. And it isn't just Google, any service that is linked to another account/service in this way would be vulnerable, so the headline should be "don't let X expire while you have important stuff in Y that can be accessed through it".

That said, a warning message on login would be nice. They could check the whois records on initial registration to see when the domain is due to expire, and verify that (in case it has been extended) before giving a warning.

There is an easy way to detect a domain expiring that would stop accidental access to data like this by new domain owners. IIRC on signup for Google's apps you add a TXT record to the domain to prove that you control it - if a domain is expired and renewed by someone else then this TXT record will be gone. Again there is no need to check on every login, just when the domain is due to have expired. Of course this does not protect against intentional access, as the TXT record could be remembered and re-entered by the attacker if they are registering the name specifically to get access to the data on accounts like Google apps.