Google Apps flaw exposes 280,000 domain owners' details
The business tools should have given users privacy, but listed them publicly
Google Apps for Work have been revealing confidential customer details from 280,000 domains for up to two years.
A bug in Google's software and online tools including Gmail, Calendar, Google Sheets, Docs and Slides mean that the details of those who have registered private domains on which to run their business services have had their information listed in the WHOIS database, according to Cisco.
Cisco's Talos Security Intelligence and Research Group revealed those who paid to have their details hidden were safeguarded for the first year of registration.
However, when their domains were renewed, their details were posted to WHOIS rather than being enrolled in the eNom third-party privacy provider as they expected.
Talos explained in a blog post that revealing the identities of those who have registered domains could cause criminal activity to take place.
"Threat actors may use domain-registration information for malicious purposes. For example, sending targeted spear phish emails containing the victim's name, address, and phone number to make the phish seem even more authentic," it said.
A Google spokesman confirmed Talos had uncovered the flaw.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"A security researcher recently reported a defect via our Vulnerability Rewards Program affecting Google Apps' integration with the eNom domain registration API," the statement said.
"We identified the root cause, made the appropriate fixes, and communicated this with affected Apps customers. We apologize for any issues this may have caused."
The company confirmed the domains had returned to being private, although Talos noted some companies keep archived records of the WHOIS information so it could still be accessible in future.
Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.
Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.
As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.