Even Google forgets to renew its domains
By @edent
· Bug Bounty dns google Responsible Disclosure security · 13 comments · 500 words · read ~33,031 times.
tl;dr
- Google forgot to renew a domain used in their documentation.
- It was mildly embarrassing for them.
- And possibly a minor security concern for some new G-Suite domain administrators
Background
Choosing a good example domain, to use in documentation, is hard. You want something which is obviously an example, so that users understand they have to substitute it for their own details. But it also needs to be a validly formatted domain, and shouldn't be used for anything important, and - most importantly - should be under your control.
In most of Google's domain documentation, they used SpottedFig.org - why? Who knows!
They used it across their support platform:
Yet, for some reason, they didn't renew it when it expired a couple of months ago.
So I bought it for £10. Cheap!
Security
Google's documentation said "To view DNS results for a domain already configured to use G Suite, enter spottedfig.org."
As I now have control of the domain, I could have entered malicious DNS information and convinced people to use it. Perhaps redirecting their email to my servers.
Impact
Look, this isn't in the same league as the chap who bought Google.com for $12. This is a minor domain with probably zero traffic until I stumbled upon it. Looking in the Wayback Machine, it appears that the site never had any meaningful content. 
Because Google specifically advised users to check the DNS entries of SpottedFig.org, I thought there was a minor security risk that Google users could be tricked into entering incorrect DNS information. So I responsibly disclosed it to them.
Eventually, Google replaced most references to SpottedFig in their documentation. They inexplicably left this .com one though:
Timeline
- 2019-11-29 Found the domain while reading the documentation close to midnight.
- 2019-11-30 Purchased the domain. Wrote a badly worded vulnerability report at 1am and sent to Google.
- 2019-12-02 Marked as "infeasible" by Google. So I wrote a better explanation. Essentially "Google tells G-Suite admins to use my domain as a template for configuration."
- 2019-12-03 Google reconsidered! Said it probably wasn't eligible for a bounty (drat!) but they'd evaluate it.
- 2019-12-11 I noticed that Google had rewritten its documentation. All references to
SpottedFig.orgwere removed and replaced with a domain they control -solarmora.com - 2019-12-18 "As a part of our Vulnerability Reward Program, we decided that it does not meet the bar for a financial reward, but we would like to acknowledge your contribution to Google security in our Hall of Fame"
- 2020-01-14 Published this blog post.
How to prevent this happening to you?
I recommend using Little Warden to monitor your domains.
Best of: What I blogged about in 2020
Mike says:
I hope you have a reminder set for 9th August to see if you can buy solarmora.com
Micky Gee says:
So.. You’re a tenner down still? SADFACE.
What's wrong with example.com ?
Or SpottedFig.example ?
Ah, now ic an see your images, they nee to sue a live domain.
So why not google.com ? Or abc.xyz ?
Even Google forgets to renew its domains L: shkspr.mobi/blog/2020/01/e… C: news.ycombinator.com/item?id=220440…
Darn, I thought the story was going to end with google offering you millions of dollars to buy spottedfig.org back.
Me too! 😂
Andrew McGlashan says:
Even Google has broken SPF records!
dig -t txt +short google.com|grep spf1
“v=spf1 include:_spf.google.com ~all”
As far as I am concerned, anybody using “~all” should only be doing so whilst testing…. and I don’t think it would be fair to say that Google is still testing SPF.
mx03 says:
SPF is broken, and only “~all” or “?all” should be used.
Lol, I was just scrolling fast to get to the point where you would be offered millis but alas, a couldn't dnd that here.
Well, google feels that the domain is pretty much useless that's why they didn't even care.
Good article here. I hope the Big G and other large companies learn from this.
I picked up a similar domain before joining Google, I'm not sure if I ended up letting it expire or still have it (so much for my memory). One day, I'm sure it'll be worth $20.