Even Google forgets to renew its domains

By
on · · 13 comments · 450 words · read ~32,982 times.
tl;dr
  1. Google forgot to renew a domain used in their documentation.
  2. It was mildly embarrassing for them.
  3. And possibly a minor security concern for some new G-Suite domain administrators

Background

Choosing a good example domain, to use in documentation, is hard. You want something which is obviously an example, so that users understand they have to substitute it for their own details. But it also needs to be a validly formatted domain, and shouldn't be used for anything important, and - most importantly - should be under your control.

In most of Google's domain documentation, they used SpottedFig.org - why? Who knows!

GSuite Admin showing the domain.

They used it across their support platform:

Lots of Google pages with the domain in them.

Yet, for some reason, they didn't renew it when it expired a couple of months ago.

Domain showing as available to purchase.

So I bought it for £10. Cheap!

Security

Google's documentation said "To view DNS results for a domain already configured to use G Suite, enter spottedfig.org."

Documentation showing the domain.

As I now have control of the domain, I could have entered malicious DNS information and convinced people to use it. Perhaps redirecting their email to my servers.

Impact

Look, this isn't in the same league as the chap who bought Google.com for $12. This is a minor domain with probably zero traffic until I stumbled upon it. Looking in the Wayback Machine, it appears that the site never had any meaningful content.
Google branded 404 error in the wayback machine.

Because Google specifically advised users to check the DNS entries of SpottedFig.org, I thought there was a minor security risk that Google users could be tricked into entering incorrect DNS information. So I responsibly disclosed it to them.

Eventually, Google replaced most references to SpottedFig in their documentation. They inexplicably left this .com one though:

Google help page.

Timeline

  • 2019-11-29 Found the domain while reading the documentation close to midnight.
  • 2019-11-30 Purchased the domain. Wrote a badly worded vulnerability report at 1am and sent to Google.
  • 2019-12-02 Marked as "infeasible" by Google. So I wrote a better explanation. Essentially "Google tells G-Suite admins to use my domain as a template for configuration."
  • 2019-12-03 Google reconsidered! Said it probably wasn't eligible for a bounty (drat!) but they'd evaluate it.
  • 2019-12-11 I noticed that Google had rewritten its documentation. All references to SpottedFig.org were removed and replaced with a domain they control - solarmora.com
  • 2019-12-18 "As a part of our Vulnerability Reward Program, we decided that it does not meet the bar for a financial reward, but we would like to acknowledge your contribution to Google security in our Hall of Fame"
  • 2020-01-14 Published this blog post.

How to prevent this happening to you?

I recommend using Little Warden to monitor your domains.

Share this post on…

13 thoughts on “Even Google forgets to renew its domains”

  1. Mike says:

    I hope you have a reminder set for 9th August to see if you can buy solarmora.com

    Reply

  6. says:

    Darn, I thought the story was going to end with google offering you millions of dollars to buy spottedfig.org back.

    Reply

  7. Andrew McGlashan says:

    Even Google has broken SPF records!

    dig -t txt +short google.com|grep spf1

    “v=spf1 include:_spf.google.com ~all”

    As far as I am concerned, anybody using “~all” should only be doing so whilst testing…. and I don’t think it would be fair to say that Google is still testing SPF.

    Reply

  8. says:

    Lol, I was just scrolling fast to get to the point where you would be offered millis but alas, a couldn't dnd that here.

    Well, google feels that the domain is pretty much useless that's why they didn't even care.

    Good article here. I hope the Big G and other large companies learn from this.

    Reply

  9. says:

    Googleの G Suite サービスのマニュアルで使われているドメイン名が失効してしまい、他人に取られたという話。そのドメインを取った人自身が説明しています。
    G Suite のオンラインマニュアルに、独自ドメインを設定してもうまくいかない場合の確認方法について書かれているのですが、

    設定済のドメインとして、spottedfig.org というドメイン名が使われています。これを、Google は当初は維持していたようなのですが、更新忘れで失効してしまっていたということ。
    マニュアルの中の例としてのドメインで、リンクが貼ってあるわけでもないので、日頃運営しているwebサービスが乗っ取られるとかそういった致命的なミスではないですが、spottedfig.org の新オーナーがもし偽の誘導ページ等を置けば、中にはそれがGoogleのサイトだと勘違いして指示に従ってしまう人もいるかもしれません。
    Google のような大企業でもサンプルドメインとして適当なものを使ったり、それを更新し忘れたりするんですね。
    spottedfig.org が他人に取られたことを受けて、英語版のG Suite のマニュアルではサンプルドメインが solarmora.com に変更されています。このドメインにアクセスしても、Google のエラーページが表示されます。しかし、日本語版ではまだ以前のまま、spottedfig.org ですね。
    spotted fig は、まだらのイチジク、という意味でしょうか。なんでこんなドメインを例にしたんでしょう。

    Reply

  10. says:

    I picked up a similar domain before joining Google, I'm not sure if I ended up letting it expire or still have it (so much for my memory). One day, I'm sure it'll be worth $20.



    Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.