Saket Jajodia

Tecko Blog..!!

Follow me on Twitter @

Google Apps Loophole, Let You Access Other’s Domain Login Details [UPDATED]

Recently I was changing some of my domains’ NameServer which I bought through Google Apps (via GoDaddy). So while signing-in from one GA account to another I noticed that I am able to see the login details of my Domain Name Manager of my pervious account in which I had just changed the name server. Let me explain you for easy words:

For instance I have two domains which I bought from Google Apps (GA), ab1.com and ab2.com, now first I logged into my ab1.com Google Apps account to see the login details of Domain Name Manager for ab1.com domain. After I changed the NameServer I just changed ab1.com to ab2.com which is in starting of the URL so that I can login to my another GA account (http://google.com/a/cpanel/ab1.com/DomainSettingsAdvancedDns?domainName=ab1.com to http://google.com/a/cpanel/ab2.com/DomainSettingsAdvancedDns?domainName=ab1.com), now I was asked to login in to my ab2.com GA account so I did but after I logged in I show that it is showing the same login details for Domain Name Manager which I show in ab1.com.

Google Apps - Advanced DNS settings bug

This made me think for a while, how this can happen. Then my eye noticed something on address bar that at the end of URL it is still written ab1.com, so instantly something came into my mind and I thought of trying some different domain which were bought through GA and I don’t know about the GA account login details for that domain, so first domain strike me was of Amit Agarwal’s domain called labnol.org, as also at that moment his blog was already down and hacked by someone (as Amit Agarwal claimed in one of his tweet) so I given a shot and this time I changed the ab1.com to labnol.org which was written at the end of URL: http://google.com/a/cpanel/ab2.com/DomainSettingsAdvancedDns?domainName=labnol.org and what I show was really shocking that I was actually able to see labnol’s Domain Name Manager login details. And then without giving a second thought I made a status update on my Facebook a/c that there is a bug in GA system by which most of the domains bought through GA can get hacked (without disclosing much information on it).


And just after making that update I started trying to get in contact with Amit but there was no-reply on his number then I started contacting Google Apps support team and was trying to explain them about the bug which where there in their system.

When got in contact with one of their support team they were not believing me that there can be any kind of such security flaws in there system and to explain them about this it took me more than an hour and still I wasn’t able to see Good sign that they are taking me seriously and I also heard one of them where laughing when I was trying to explain them about it. I thought why I should waste my precious time by helping them, as they started laughing on me, it made me really angry but for the shake of millions of domains which were bought through GA so to help those people who bought I again tried to explain them and still I wasn’t able to see any positive sign.

Then I made a screen-cast using  screener.com and showed them the video that I was able to see the login details even without needing to login to their GA account then they believed me that I wasn’t making any fun out here and I was damn serious about it. Then they said that yes it a massive issue and should be resolved soon and they will forwarded the request to their team to look into it and will get back to me ASAP via email or via phone call.

Then the problem got solved in few hours, however I never heard from them again even I sent them an email asking for an update about the same but didn’t received any reply from them. At least I was expecting to get some acknowledgment (if they can’t reward) from them as I reported them such a huge bug and without misusing it.

P.S. Anyways I just wrote this post make everyone aware about this problem that Google Apps had and also wanted to request Mr. Amit Agarwal to change his Domain Name Manager login details.

[UPDATE : 04/07/2012 : 12/PM] Just now recived email from Google Security Team:

Hey

I understand you reported an interesting bug to our Google Apps engineers
– much appreciated!

Just wanted to let you know that I’ve added this issue to our weekly panel
meeting for next Tuesday. We’ll consider this under our reward program:
http://www.google.com/about/company/rewardprogram.html

I’ll update you next week with more information once we’ve made our
decision.

(BTW, please reply to this message so I know you’ve received it)

Cheers,
Adam

Reply

Please use your original name while commenting, Thank you..!!








Designed by Blogger Templates and Blog and Web