Even Google forgets to renew its domains

by @edent | # # # # # | 11 comments | Read ~32,392 times.
tl;dr
  1. Google forgot to renew a domain used in their documentation.
  2. It was mildly embarrassing for them.
  3. And possibly a minor security concern for some new G-Suite domain administrators

Background

Choosing a good example domain, to use in documentation, is hard. You want something which is obviously an example, so that users understand they have to substitute it for their own details. But it also needs to be a validly formatted domain, and shouldn't be used for anything important, and - most importantly - should be under your control.

In most of Google's domain documentation, they used SpottedFig.org - why? Who knows!

GSuite Admin showing the domain.

They used it across their support platform:

Lots of Google pages with the domain in them.

Yet, for some reason, they didn't renew it when it expired a couple of months ago.

Domain showing as available to purchase.

So I bought it for £10. Cheap!

Security

Google's documentation said "To view DNS results for a domain already configured to use G Suite, enter spottedfig.org."

Documentation showing the domain.

As I now have control of the domain, I could have entered malicious DNS information and convinced people to use it. Perhaps redirecting their email to my servers.

Impact

Look, this isn't in the same league as the chap who bought Google.com for $12. This is a minor domain with probably zero traffic until I stumbled upon it. Looking in the Wayback Machine, it appears that the site never had any meaningful content.
Google branded 404 error in the wayback machine.

Because Google specifically advised users to check the DNS entries of SpottedFig.org, I thought there was a minor security risk that Google users could be tricked into entering incorrect DNS information. So I responsibly disclosed it to them.

Eventually, Google replaced most references to SpottedFig in their documentation. They inexplicably left this .com one though:

Google help page.

Timeline

  • 2019-11-29 Found the domain while reading the documentation close to midnight.
  • 2019-11-30 Purchased the domain. Wrote a badly worded vulnerability report at 1am and sent to Google.
  • 2019-12-02 Marked as "infeasible" by Google. So I wrote a better explanation. Essentially "Google tells G-Suite admins to use my domain as a template for configuration."
  • 2019-12-03 Google reconsidered! Said it probably wasn't eligible for a bounty (drat!) but they'd evaluate it.
  • 2019-12-11 I noticed that Google had rewritten its documentation. All references to SpottedFig.org were removed and replaced with a domain they control - solarmora.com
  • 2019-12-18 "As a part of our Vulnerability Reward Program, we decided that it does not meet the bar for a financial reward, but we would like to acknowledge your contribution to Google security in our Hall of Fame"
  • 2020-01-14 Published this blog post.

How to prevent this happening to you?

I recommend using Little Warden to monitor your domains.

11 thoughts on “Even Google forgets to renew its domains

  1. Mike says:

    I hope you have a reminder set for 9th August to see if you can buy solarmora.com

  2. Micky Gee says:

    So.. You’re a tenner down still? SADFACE.

  3. What's wrong with example.com ?

    Or SpottedFig.example ?

    1. Ah, now ic an see your images, they nee to sue a live domain.

      So why not google.com ? Or abc.xyz ?

  4. knoebber says:

    Darn, I thought the story was going to end with google offering you millions of dollars to buy spottedfig.org back.

  5. Andrew McGlashan says:

    Even Google has broken SPF records!

    dig -t txt +short google.com|grep spf1

    “v=spf1 include:_spf.google.com ~all”

    As far as I am concerned, anybody using “~all” should only be doing so whilst testing…. and I don’t think it would be fair to say that Google is still testing SPF.

    1. mx03 says:

      SPF is broken, and only “~all” or “?all” should be used.

  6. Onyekachi says:

    Lol, I was just scrolling fast to get to the point where you would be offered millis but alas, a couldn't dnd that here.

    Well, google feels that the domain is pretty much useless that's why they didn't even care.

    Good article here. I hope the Big G and other large companies learn from this.

Mentions

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.