Dead Google Apps Domains Can Be Compromised By New Owners

An anonymous reader quotes a report from Ars Technica: Lots of startups use Google's productivity suite, known as Workspace, to handle email, documents, and other back-office matters. Relatedly, lots of business-minded webapps use Google's OAuth, i.e. "Sign in with Google." It's a low-friction feedback loop -- up until the startup fails, the domain goes up for sale, and somebody forgot to close down all the Google stuff. Dylan Ayrey, of Truffle Security Co., suggests in a report that this problem is more serious than anyone, especially Google, is acknowledging. Many startups make the critical mistake of not properly closing their accounts -- on both Google and other web-based apps -- before letting their domains expire.

Given the number of people working for tech startups (6 million), the failure rate of said startups (90 percent), their usage of Google Workspaces (50 percent, all by Ayrey's numbers), and the speed at which startups tend to fall apart, there are a lot of Google-auth-connected domains up for sale at any time. That would not be an inherent problem, except that, as Ayrey shows, buying a domain allows you to re-activate the Google accounts for former employees if the site's Google account still exists.

With admin access to those accounts, you can get into many of the services they used Google's OAuth to log into, like Slack, ChatGPT, Zoom, and HR systems. Ayrey writes that he bought a defunct startup domain and got access to each of those through Google account sign-ins. He ended up with tax documents, job interview details, and direct messages, among other sensitive materials. A Google spokesperson said in a statement: "We appreciate Dylan Ayrey's help identifying the risks stemming from customers forgetting to delete third-party SaaS services as part of turning down their operation. As a best practice, we recommend customers properly close out domains following these instructions to make this type of issue impossible. Additionally, we encourage third-party apps to follow best-practices by using the unique account identifiers (sub) to mitigate this risk."

How do I get them to stop

[fropenn]

asking me to "sign in with Google"? I do not want to sign in with Google. Ever. Go away annoying pop-up!!!

Re:

[thegarbz]

That's not up to you, that's up to the website you're visiting. They are the ones who partnered with Google and are running Google's sign-in script. Do an ironic google search to find out what you need to add as a custom filter to your ublock or whatever else you use to block scripts.

If I read Google's response correctly

[ebunga]

It's the former customer's fault. Did you see the clothes they were wearing?

Re: If I read Google's response correctly

[Z00L00K]

The former customer if 6 feet under but their data is a zombie.

Re:

[thegarbz]

Well it sort of is. They are stuck between a rock and a hard place here. What do your recommend Google take a policy of delete first and ask questions later without the ability to recover your previous auth tokens? Can you imagine the potential chaos that would cause in an organisation if someone lets a domain lapse?

Re:If I read Google's response correctly

[mysidia]

Can you imagine the potential chaos that would cause in an organisation if someone lets a domain lapse

It absolutely already causes chaos if an org lets their domain lapse. Someone in executive Management needs to be fired immediately if a company's corporate email domain is allowed to expire; As that creates a huge number of issues aside from this catastrophic one of Tax Documents and social security numbers being leaked to cybercriminals and other opportunists.

What do your recommend Google take a policy of delete first and ask questions later

Yes. My recommendation is Google should detect expiration of the internet domain name and automatically change accounts' primary domain away from the expired domain to a newly-generated internal domain if necessary. Set the expired domain to a secondary domain, and "Freeze" the expired domain in their system while starting a countdown to permanent disconnection of that domain name from the account.

When the domain is frozen: No email messages can be sent out to external servers for that domain for purposes such as "Reset Password" or Verify. The domain has to be re-Verified through a confirm process and thawed by a global admin of the tenant to reactivate usage of that domain And re-activate the ability of any users to OAuth authenticate using credentials that were tied to an identity on that domain name specifically.

Re:

[jonbryce]

There is a period between the domain lapsing and it getting released back into the market.
When I bought a lapsed 4 letter .uk domain a while back, I think that period was about 90 days.

Re:If I read Google's response correctly

[mysidia]

There is a period between the domain lapsing and it getting released back into the market.

There is supposed to be a 90 day period, but all the major registrars bypass this period If they think your domain is valuable enough to resell.

The way this is supposed to work is: Domain expiration date is reached. Auto-renewal grace period kicks in at the registry and the domain is automatically renewed by the registry for 1-year. The individual domain registrar then has the auto-renew grace period: Somewhere between 45 and 60 days to either Delete the domain and Not have to pay for the renewal, Or do nothing. If the registrar does nothing, then the automatic 1-year renewal stands and the registrar will be charged the fee and have to pay for the domain renewal Only after the end of that 45 to 60 day grace period.

If the Owner of the domain does not pay, then the registrar can keep the domain active during the Full auto-renew grace period at no cost to the registrar. The domain registrar can send a "Delete" command to the registry at any time, But typically at 30 days after the domain expired, and the Registry will then place the domain on a 90 day hold called redemption period. So in theory it is supposed to take 120 Days before an expired domain would be released back into the wild.

However, what the domain registrars are doing is this instead. After their customer doesn't pay for the domain and it goes past the "expire date" listed in the registry - The domain registrars are running a service where they List domains for sale and Auction them. They are essentially starting an auction that runs during the Auto-renew grace period (The grace period which was Intended to give domain registrants time to pay for their domain renewal in case there was some type of billing issue or delay). Then at the End of the auction process: The domain registrar cheats the ICANN redemption period by keeping the domain without deleting it and just Replacing the contact information and moving the domain to the Auction winner's account in their internal systems without informing the registry (Internal transfer of ownership of the domain between customers of the registrar such as internal transfer from the owner's GoDaddy account to the buyer's GoDaddy account, etc).

No different than any other

[Local ID10T]

It is the downside of domain re-use. They are used as identifiers, but are not unique if they can be re-used.

Re:

[mysidia]

That is true, but the quick reuse apparently causes a problem.

My suggestion would be that ICANN changes the redemption period to 1 year and make it a mandatory cooling off period before any kind of recycling and re-use of a domain is allowed. There is currently a 90-day redemption period, But domain registrars often cheat the system by "Auctioning off" expiring domain names at the expiration date and transferring them directly which causes a New party to get the domain without the domain name ever

Re:

[Vlad_the_Inhaler]

So:
- Domain registrars should have to inform Google when a domain is sold to a new owner.
- Domain registrars should be held liable for any damage caused if they don't inform Google, failing that Google should simply refuse to point to domains registered by rogue registrars.
Informing Google when a domain expires - so that Google can drop them - would be a bad idea, I remember Microsoft as having accidentally let that happen to domains central to their operation. What happened next was that someone noticed,

Re:

[mysidia]

- Domain registrars should have to inform Google when a domain is sold to a new owner.

No: What I am saying is ICANN should prohibit all registrars from initiating or conducting a Sale or Transfer for a domain that is already registered such that the domain is "lost" without undergoing the Full redemption period [icann.org].

That does not restrict authorized transfers that include a FOA by the original Registrant of the domain. I am saying registrars should be barred from conducting this shenanigan where they stick a

Can do the same with email

[viperidaenz]

You can "Forgot my password" if you know what the old email addresses were, which can be found by the marketing emails and spam that are probably still being sent.

Re:

[Entrope]

Yeah, the fundamental failing is that companies don't delete data when they shut down. This is only slightly less obvious than selling computers from a dead company without wiping the hard drives.

Re:

[mysidia]

Apparently the companies no longer care at this point... Because: What are you going to do If they leak a trove of data for criminals to injure with.. sue them? They're a failed startup. You can sue and win, but there will be no money to pay you.

I don't know, But I guess we need to get some legislation passed that says the cloud service providers (Such as Google) become secondarily liable And any attempt to discharge or require arbitration against their liability is void for the full amount of

Re:

[jsonn]

At least in the EU, I'm pretty sure you can go after the officers and owners personally for gross neglect.

Re:

[Z00L00K]

With later versions of Windows companies don't have to care because Bitlocker is on by default on client computers so the only devices left that might contain some information to leak are the servers.

Re:

[mysidia]

don't have to care because Bitlocker is on by default on client computers

Servers and back up tapes are still a huge issue. When they're having a fire sale; there's also a good chance the liquidators ask for and get a login to the Windows devices so they can resell them. There are many ways a defunct company can still leak data.

Default bitlocker can still be bypassed in its default config, since companies typically use TPM validation as their only default method for pre-boot authentication which is what

Re:

[viperidaenz]

Doesn't the PCIe device still need to acces the memory via the IOMMU, which the CPU programs to allocate address space and mapping to the PCI device?
https://learn.microsoft.com/en... [microsoft.com]
Apparently the devices won't be enumerated by the OS unless the drivers support DMA remapping. If they don't support that feature they're not started until a user logs in.

Re:

[thewolfkin]

You can "Forgot my password" if you know what the old email addresses were, which can be found by the marketing emails and spam that are probably still being sent.

I'd argue that's literally what the whole point of the article is. They're doing "Forgot my password" with apps.

Duh

[Revek]

I bought my old dial up ISP domain several years ago when the company that bought the ISP sold it. I've kept it and lately I put it on a mx host. They almost immediately emailed me and asked me what had happened to it. I put a catch all bucket in place for a week and after more than a decade it still receives huge amounts of spam. It also receives tons of legitimate email. mobile accounts and such. How anyone could go over decade without updating their account information is beyond me. If I hadn't bought it some lowlife would have exploited those fools a long time ago.

Re:

[thegarbz]

How anyone could go over decade without updating their account information is beyond me.

People often don't know. The internet is full of zombie accounts for things which aren't used anymore. Only recently we were reminiscing about a forum I used to frequent with a friend. I haven't visited that website in 20 years. TWO WHOLE DECADES. My indifference to that old place is old enough to vote. My last post was in October 2004. Yet I logged in. Not only did it work... I still had admin privileges. We were joking about making a point of security by giving everyone a 1 day ban and seeing if they revi

Re:

[Revek]

You would think in all that time they would have been asked for updated information. Unless they have never called their mobile carrier or upgraded their device

I have a hotmail account that is shall we say a flippant statement and seems to get accounts created with it on sites that don't force email verification. I take them over and shut them down. I was threatened by one of the fools as they had spent some money on some weird russian online gambling site.

Re:

[thegarbz]

Well it sort of comes across as a benefit isn't it. I suspect the actual email address was just a misspelling so when you're greeted with a message "Is your email address r***********n@gmail.com they probably just clicked yes.

This kind of thing is easily missed.
Is the email address wrong or does the company not spam me?
I didn't get a receipt? Oh well it's in my account.
I didn't get that confirmation email, maybe I'll try the backup email address I used.
I have problems with 2FA tokens via email, maybe I'll g

Re:

[Vlad_the_Inhaler]

Not the same problem, but a few years ago I tried to change the email address my mobile phone provider was using for me (the old one had expired). A week or so later I got an email from them to confirm the address was mine, but the only information provided was the customer number. Do you know your customer number? Then I started getting bills for another mobile phone, with the number and address provided. I found out the number of their land line - using the name and address - and rang them, getting th

Re:

[thewolfkin]

How anyone could go over decade without updating their account information is beyond me.

People often don't know. The internet is full of zombie accounts for things which aren't used anymore. Only recently we were reminiscing about a forum I used to frequent with a friend. I haven't visited that website in 20 years. TWO WHOLE DECADES. My indifference to that old place is old enough to vote. My last post was in October 2004. Yet I logged in. Not only did it work... I still had admin privileges. We were joking about making a point of security by giving everyone a 1 day ban and seeing if they revise their process of dealing with zombie accounts which have elevated privileges or not.

Also someone signed up to stuff using my wife's email address, but not just silly stuff, 2FA codes, streaming services, shipping notifications with the person's address (they were UK based). Eventually my wife got so sick of it she reset their Netflix password. Never actually used their account, but we didn't get a Netflix email after that so presumably they did something to fix it.

I recently started getting emails for a dude named Derrick. Just basic stuff like hospital verification and check-in notices. I got a survey to respond how well his endoscopy went. When I started getting these I remembered it's been a while since I got a cell phone bill for Cheryl in Lousiana whose phone bills i used to get all the time. At least the young girl who signed up for a sephora coupon didn't put her name on the account and I thought was just making ajoke email but based on Derrick's last name I

Re:

[vrhelmutt]

I did the same thing for my childhood regional ISP and some of the emails are *chef's kiss*

Maybe Workspace accounts need a different p key?

[ctilsie242]

Time for Google to consider accounts and workspaces to have a different primary key than domains?

Perhaps Workspace accounts need to be keyed to something like a unique ID, so if foo.com has one Google Workspace account, then for some reason, validation checks and another Google Workspace account is created, there is some way to ensure that the accounts can't be accessed from the wrong parties?

Maybe Google needs to look at locking old Workspace instances, where if the new owner of a domain proves ownership (via a CNAME, TXT record, etc.) the old Google Workspace account is flagged as a read only archive, and needs to be moved to a new domain for it to be used, perhaps even some subdomain for anything but Google Takeout.

This way, someone's old Workspace setup will still be available, but never can be access by the new setup.

Domains should never expire

[butlerm]

Domains should never expire. Go inactive if people do not pay the registration fee, but *never* expire. Not ever. I shouldn't have to explain the reason why.

Re:

[butlerm]

I mean bona fide domains actually used by real people and organizations not just squatted on hoping to be paid in five or six figures someday, by the way. If you have an email address email to you at that address should never be capturable by some anonymous stranger without your consent or the consent of your employer etc. This is a serious problem and if the people at ICANN were more interested in Internet security than printing money for all their member registries and registrars that would have fixed th

True for every Google service

[bleedingobvious]

ALL of Googles services are used to attack us. ALL of them. Drive, mail, apps, whatever. There is zero reason to engage with anything Google. None.

Companies using it for corporate stuff can take a hike.