Today, British developer and hacker Ben Reyes wrote a post describing how he was able to use an expired domain to access to another person’s Gmail, Google calendar, contacts, and more, which then, in turn, allowed him to access further web accounts, like Amazon.
It started when Reyes recently attempted to link a newly registered domain to Google Apps. The Google Apps page immediately responded to the request, saying that the domain had already been registered. Thank you, try again. This was because the previous owner of the domain name had left it tied to Google Apps. So Reyes went through the domain reclamation process, proved he was the new owner, and shabang, he was granted access.
Once he signed in, the fun started. Google apps gave him a choice of two administrator accounts, so he chose one at random, picked a new password, and signed in. He then found himself gazing at the entire email history, calendars, and contacts owned by someone he didn’t know. If Reyes had been harboring malicious intentions, he presumably could have used this information to launch an attack on the person as well as the organizations the person had patronized.
He was able to quickly discover that the person in question was the owner of an Amazon Web Services account, so he sent Amazon a password reset request, changed the password, and was quickly granted access. Considering Amazon and most other online services simply require an email address to reclaim an account, you can see the potential for some serious identity theft here. Not only that, but with access to AWS, Reyes could easily recover the person’s name, address, and the last 4 digits of their credit card. Yikes.
Again, someone with a greater facility with the dark side could easily use the information above to squirm their way into the person’s PayPal account to steal further financial information, not to mention files and personal information stored on Dropbox and Facebook.Dell latitude d400 Battery,Dell kd476 Batteries
Reyes of course alerted the owner of the AWS account he had accessed, making them aware of their vulnerability — and to his blog post, which he had subsequently published on Hacker News. In fact, it turns out that the person in question is the senior lead at a well-funded and fairly well-known startup. So, if this can happen to someone with technical know-how, it can happen to anybody.
Reyes has also contacted Google to make them aware of the security loophole. Google has not yet given concrete word as to whether or not they’ve fixed the problem, but this just illuminates the larger issue at hand here, which is that he could have easily accessed the person’s Amazon account using a wildcard email address. Meaning that it’s pretty easy to steal your personal information through an expired domain linked to Google Apps.
According to Stuckdomains, there are more than 33 million expired domains on the Web. I think many of us have let a domain name or two expire, but clearly doing so with other accounts still attached to it poses a huge security risk. Even if an expired domain isn’t attached to Google Apps, one could still use, say, an Amazon account to gather personal info.
But Google Apps obviously provides an easier way for someone to discover what accounts are already tied to the domain. And this goes for the non-technical as well. You don’t have to be a hacker. Many of us legitimately tie domains to Google Apps and could experience the same.Reyes and I agreed that this may cause VCs and investors (not to mention people across the board) to rush back to those forgotten domains to re-register — for the sake of preventing their email addresses from being leaked to eager young startups. (God forbid.) And more.
After all, a few users in the post’s comment section on Hacker News said that they’d already written scripts to scan all newly expired domain names to check to see if they’re connected with Google Apps. Megamark16 chimed in, saying, “It took me about 10 minutes to write a python script that grabs a list of recently expired domains and checks each domain to see if it’s a valid Google Apps domain. This is a pretty serious issue, if indeed it’s still possible to take ownership of accounts as the article suggests”.
CloudTags: Google Apps, responded, request, laptop batteries, Dell latitude d630 Battery, Dell latitude d620 Batteries, sony laptop battery, Cheap Dell inspiron 1300 battery,Dell inspiron 9400 Batteries, Dell inspiron 6400 Batteries
没有评论:
发表评论