- Google forgot to renew a domain used in their documentation.
- It was mildly embarrassing for them.
- And possibly a minor security concern for some new G-Suite domain administrators
Choosing a good example domain, to use in documentation, is hard. You want something which is obviously an example, so that users understand they have to substitute it for their own details. But it also needs to be a validly formatted domain, and shouldn’t be used for anything important, and – most importantly – should be under your control.
In most of Google’s domain documentation, they used
SpottedFig.org – why? Who knows!
They used it across their support platform:
Yet, for some reason, they didn’t renew it when it expired a couple of months ago.
So I bought it for £10. Cheap!
Google’s documentation said “To view DNS results for a domain already configured to use G Suite, enter spottedfig.org.”
As I now have control of the domain, I could have entered malicious DNS information and convinced people to use it. Perhaps redirecting their email to my servers.
Look, this isn’t in the same league as the chap who bought
Google.com for $12. This is a minor domain with probably zero traffic until I stumbled upon it. Looking in the Wayback Machine, it appears that the site never had any meaningful content.
Because Google specifically advised users to check the DNS entries of
SpottedFig.org, I thought there was a minor security risk that Google users could be tricked into entering incorrect DNS information. So I responsibly disclosed it to them.
Eventually, Google replaced most references to
SpottedFig in their documentation. They inexplicably left this
.com one though:
- 2019-11-29 Found the domain while reading the documentation close to midnight.
- 2019-11-30 Purchased the domain. Wrote a badly worded vulnerability report at 1am and sent to Google.
- 2019-12-02 Marked as “infeasible” by Google. So I wrote a better explanation. Essentially “Google tells G-Suite admins to use my domain as a template for configuration.”
- 2019-12-03 Google reconsidered! Said it probably wasn’t eligible for a bounty (drat!) but they’d evaluate it.
- 2019-12-11 I noticed that Google had rewritten its documentation. All references to
SpottedFig.orgwere removed and replaced with a domain they control –
- 2019-12-18 “As a part of our Vulnerability Reward Program, we decided that it does not meet the bar for a financial reward, but we would like to acknowledge your contribution to Google security in our Hall of Fame“
- 2020-01-14 Published this blog post.
How to prevent this happening to you?
I recommend using Little Warden to monitor your domains.