w**z
发帖数: 8232 | 1 Google accidentally leaked hundreds of thousands of customers' personal
details and didn't notice for 2 years
Read more: http://www.businessinsider.com/google-leaks-whois-data-of-280000-customers-2015-3#ixzz3UlD54a5k
Google accidentally leaked the personal details of more than 280,000
customers, Ars Technica reports. The fault first appeared back in mid-2013,
but it has only recently been discovered and fixed, meaning people have been
at risk for years.
Identified by security researchers at Cisco, the vulnerability affects
websites registered via Google Apps for work, using the registrar eNom. The
owners of the websites in question had all opted into "WHOIS privacy
protection." When someone "WHOIS's" — or queries — the website, the
personal details of the person who registered it are hidden.
You might use the service if you're, say, an anonymous blogger or run a
website about an embarrassing hobby — or are just privacy-conscious.
In fact, 305,925 domains were registered this way, but Cisco found that 282,
867 of them (94%) have had their personal details unmasked because of a
fault in Google's code. Customers' leaked information includes "full names,
addresses, phone numbers, and email addresses."
Cisco discovered the issue on February 19, 2015, two years after the fault
first arose. After Google was notified, the search giant fixed it about a
week later, and notified customers on March 17, 2015. It's unclear how many
customers seeking anonymity were unmasked as a result of this error.
Cisco researchers write that, in addition to the direct threat that the
operators of sensitive websites may face as a result of being unmasked, it
puts them at greater risk for fraud. Being able to send "targeted spear
phish emails containing the victim's name address and phone number" could
make attempts at fraud and identity theft more dangerous.
Here's the message Google Apps customers received:
Dear Google Apps Administrator,
We are writing to notify you of a software defect in Google Apps’ domain
registration system that affected your account. We are sorry that this
defect occurred. We want to inform you of the incident and the remedial
actions we have taken to resolve it.
When the unlisted registration option was selected, your domain registration
information was not included in the WHOIS directory for the first year.
However, due to a software defect in the Google Apps domain renewal system,
eNom’s unlisted registration service was not extended when your domain
registration was renewed. As a result, upon renewal and from then on forward
, your registration information was listed publicly in the WHOIS directory.
A Google representative provided Business Insider with the following
statement:
A security researcher recently reported a defect via our Vulnerability
Rewards Program affecting Google Apps’ integration with the Enom domain
registration API. We identified the root cause, made the appropriate fixes,
and we're communicating with affected Apps customers. We apologize for any
issues this may have caused.
Read more: http://www.businessinsider.com/google-leaks-whois-data-of-280000-customers-2015-3#ixzz3UlDLFJhS |
|
