Even Google forgets to renew its domains
By @edent
tl;dr
- Google forgot to renew a domain used in their documentation.
- It was mildly embarrassing for them.
- And possibly a minor security concern for some new G-Suite domain administrators
Background
Choosing a good example domain, to use in documentation, is hard. You want something which is obviously an example, so that users understand they have to substitute it for their own details. But it also needs to be a validly formatted domain, and shouldn't be used for anything important, and - most importantly - should be under your control.
In most of Google's domain documentation, they used SpottedFig.org
- why? Who knows!
They used it across their support platform:
Yet, for some reason, they didn't renew it when it expired a couple of months ago.
So I bought it for £10. Cheap!
Security
Google's documentation said "To view DNS results for a domain already configured to use G Suite, enter spottedfig.org."
As I now have control of the domain, I could have entered malicious DNS information and convinced people to use it. Perhaps redirecting their email to my servers.
Impact
Look, this isn't in the same league as the chap who bought Google.com
for $12. This is a minor domain with probably zero traffic until I stumbled upon it. Looking in the Wayback Machine, it appears that the site never had any meaningful content.
Because Google specifically advised users to check the DNS entries of SpottedFig.org
, I thought there was a minor security risk that Google users could be tricked into entering incorrect DNS information. So I responsibly disclosed it to them.
Eventually, Google replaced most references to SpottedFig
in their documentation. They inexplicably left this .com
one though:
Timeline
- 2019-11-29 Found the domain while reading the documentation close to midnight.
- 2019-11-30 Purchased the domain. Wrote a badly worded vulnerability report at 1am and sent to Google.
- 2019-12-02 Marked as "infeasible" by Google. So I wrote a better explanation. Essentially "Google tells G-Suite admins to use my domain as a template for configuration."
- 2019-12-03 Google reconsidered! Said it probably wasn't eligible for a bounty (drat!) but they'd evaluate it.
- 2019-12-11 I noticed that Google had rewritten its documentation. All references to
SpottedFig.org
were removed and replaced with a domain they control -solarmora.com
- 2019-12-18 "As a part of our Vulnerability Reward Program, we decided that it does not meet the bar for a financial reward, but we would like to acknowledge your contribution to Google security in our Hall of Fame"
- 2020-01-14 Published this blog post.
How to prevent this happening to you?
I recommend using Little Warden to monitor your domains.
I hope you have a reminder set for 9th August to see if you can buy solarmora.com
So.. You’re a tenner down still? SADFACE.
What's wrong with example.com ?
Or SpottedFig.example ?
Ah, now ic an see your images, they nee to sue a live domain.
So why not google.com ? Or abc.xyz ?
Even Google forgets to renew its domains
L: shkspr.mobi/blog/2020/01/e…
C: news.ycombinator.com/item?id=220440…
Even Google forgets to renew its domains
11 by edent | 0 comments on Hacker News.
Darn, I thought the story was going to end with google offering you millions of dollars to buy spottedfig.org back.
Me too! 😂
Even Google has broken SPF records!
dig -t txt +short google.com|grep spf1
“v=spf1 include:_spf.google.com ~all”
As far as I am concerned, anybody using “~all” should only be doing so whilst testing…. and I don’t think it would be fair to say that Google is still testing SPF.
SPF is broken, and only “~all” or “?all” should be used.
Lol, I was just scrolling fast to get to the point where you would be offered millis but alas, a couldn't dnd that here.
Well, google feels that the domain is pretty much useless that's why they didn't even care.
Good article here. I hope the Big G and other large companies learn from this.
Googleの G Suite サービスのマニュアルで使われているドメイン名が失効してしまい、他人に取られたという話。そのドメインを取った人自身が説明しています。
G Suite のオンラインマニュアルに、独自ドメインを設定してもうまくいかない場合の確認方法について書かれているのですが、
設定済のドメインとして、spottedfig.org というドメイン名が使われています。これを、Google は当初は維持していたようなのですが、更新忘れで失効してしまっていたということ。
マニュアルの中の例としてのドメインで、リンクが貼ってあるわけでもないので、日頃運営しているwebサービスが乗っ取られるとかそういった致命的なミスではないですが、spottedfig.org の新オーナーがもし偽の誘導ページ等を置けば、中にはそれがGoogleのサイトだと勘違いして指示に従ってしまう人もいるかもしれません。
Google のような大企業でもサンプルドメインとして適当なものを使ったり、それを更新し忘れたりするんですね。
spottedfig.org が他人に取られたことを受けて、英語版のG Suite のマニュアルではサンプルドメインが solarmora.com に変更されています。このドメインにアクセスしても、Google のエラーページが表示されます。しかし、日本語版ではまだ以前のまま、spottedfig.org ですね。
spotted fig は、まだらのイチジク、という意味でしょうか。なんでこんなドメインを例にしたんでしょう。
I picked up a similar domain before joining Google, I'm not sure if I ended up letting it expire or still have it (so much for my memory). One day, I'm sure it'll be worth $20.