Web Developers

Loophole Enables Squatting in Google Apps for Domains System

Posted by on Feb 1, 2011 | 9 Comments

Google Apps has a fundamental flaw in the way it creates accounts. Anyone can squat on a domain without proof of ownership. I found this out yesterday when I attempted to go through the process of setting up shared calendaring for the LockerGnome team. Chris Pirillo and I were both under the impression that LockerGnome.com had never been set up on Google Apps. We were wrong. And apparently we’re not alone. A quick Google search reveals this happens often, as evidenced by Google Apps support threads here, here, and here. There are over 1,000 threads related to this issue.

I decided to see if I could replicate our problem by signing up for Google Apps with someone else’s domain. I started with Microsoft.com, which Google was smart enough to block. I went for the next best thing – a major media outlet. SeattleTimes.com was not registered on Google Apps. Now it is. By me.

Google Apps for Domains

How did I claim SeattleTimes.com in Google Apps? Simple, I filled out a form using my gmail.com address.

Google Apps sent me the following email and I’m now squatting on SeattleTimes.com inside its service.

Hello Google Apps admin,

We’re excited to help you offer powerful communication and sharing tools to seattletimes.com with Google Apps!

To learn how to setup and deploy Google Apps, visit our getting started resource center for tips and instructions:

http://www.google.com/a/help/intl/en/admins/resources/setup/

Step 1: Sign in to the administrative control panel. Here you can manage your user accounts and customize Google Apps. To access the control panel, visit:

http://www.google.com/a/seattletimes.com/

If you haven’t already signed in and created your administrator account, you can click here:
[URL Redacted]

Step 2: Verify domain ownership. Before we can fully activate your services, you will need to verify ownership of seattletimes.com. From the control panel, you can verify by either uploading an HTML file or creating a special CNAME record. Verifying ownership does not cause any change to your existing services.

To find more information or get in touch, visit our Help Center at http://www.google.com/support/a. Please do not reply to this email; replies are not monitored.

Sincerely,
The Google Apps Team

Google Apps Domain Settings

Admittedly, I can’t go all the way with my claim on SeattleTimes.com. I don’t have access to DNS settings to point MX records to Google Apps or set up CNAME forwarding for things like calendaring. But my claim means that when SeattleTimes.com decides to switch to Google Apps in the future, it will have to jump through extra hoops to get there.

The current steps to claiming a domain in Google Apps are:

  1. Enter Domain
  2. Create Account
  3. Verify Domain Ownership

Instead of the current system, Google should require a step to verify my right to claim SeattleTimes.com before I get through the account creation process. Something more like:

  1. Enter Domain
  2. Verify Domain Ownership
  3. Create Account

Domain verification should come before account creation so that companies like LockerGnome and the Seattle Times don’t have to reassert their ownership. My goal in writing this article? Get Google to fix the process. I don’t want a Google Apps account for SeattleTimes.com. In fact, I’m fairly certain I violated the Google Apps terms of service when I set up the account, but I didn’t have any other way to make my point. If you have a domain that gets hijacked in Google Apps, there’s a form you can fill out. Unfortunately, Google doesn’t give any indication of when or how you will get resolution.

UPDATE (8 February 2011): Since writing this post, I have a couple updates on the Google Apps situation. The Lockergnome.com account configured in Google Apps was setup as part of Google Apps for Teams, which is a product currently being phased out. Google Apps for Teams did not use the domain administrator features standard in Google Apps, which meant that anyone could set it up. I have also learned that my access to the SeattleTimes.com Google Apps account expires after 14-days, so if I want to continue to squatting on the domain, I’d have to go through the process of claiming it again.

While I’m happy to have resolution for the Lockergnome.com account, I’d still like to see Google take steps to prevent someone tying up a domain without the proper rights to do so. As someone who has acted as the decision maker for technology choices like choosing Google Apps or an Exchange Server, finding out that I couldn’t easily setup my domain with Google Apps because someone else was squatting on it would reduce my trust in Google as a service provider and likely steer me toward using a solution with better protections for my brand in place.

  • Pingback: Domain Squatting in Google Apps ~ Chris Pirillo

  • http://www.tchapin.com Tom chapin

    I totally had this happen to me, and it took me about two weeks to get it sorted out. I posted on various Google forums until I finally got a response back from someone claiming to be a Google employee.

    They really need to modify the google apps signup system so that they don’t actually create the account until the domain ownership is verified.

  • http://iscifi.tv jeff norris

    I have used GA for years and always thought it was stupid to create a CNAME or HTML hash to verify ownership when the domain was registered via a certified ICANN registar.

    Since many sites are powered by GA, this type of verification could very well break email, google docs and may other services thus letting others into your private dataspace on google doc. Holy lame google what are you thinking!

    This post is a clear example of FAIL on the part of Google. If a site is not powered by GA for email, docs, etc and latter is rather that forcing the hand that lays claim to another GA account holder that is a squating the domain google could use the ICANN registration information as part of their verification system.
    Also part of the problem is when you as the legitimate holder of a domain do verify the ownership with GA. The squater also gets a email from GA indicating that the domain ownership was transfered to user @ domain . Just bringing more trollish like actions towards the legitimate domain holder.

    As above.
    1 create domain
    2 verify domain
    3 domain claimed
    if step #2 is never done then domain is never claimed and is available to legitimate owners. Even a 1,2, 4, 24 hour timeout would work.

    Get with it google!

  • Pingback: Hijacking Unclaimed Google Apps Domain Services To Hijack Mail, or Assign a Domain Penalty |Tuesday February 1, 2011 XYHD.TV

  • http://www.onlineaspect.com Josh Fraser

    This same issue comes up in non-nefarious situations as well. For example, I wrote about this just a few months ago when I bought a domain from a squatter and found that I couldn’t set up Google apps because he’d used them as well. This caused the domain to go into limbo and there’s very little you can do to fix it without calling in favors from the Google team.

    http://www.onlineaspect.com/2010/11/12/issues_with_google_apps/

  • Pingback: SearchCap: The Day In Search, February 1, 2011

  • http://epicmaine.com Jeff Anthony

    Wow. That’s pretty lame and I’m usually enthusiastic about Google.

  • http://www.newmindgroup.com Daniel Jefferies

    There might be a better way to do verification. However it should be noted that if a domain is not verified within “14-21 days” it will be removed from the Google Apps system.

    So for someone to squat on a domain indefinitely they would have to keep coming back and signing up every 14 days or so.

    http://www.google.com/support/a/bin/answer.py?hl=en&answer=60216

  • http://lon.to Truyen nguoi lon

    Not so much of a problem. You should fix your title, it’s kind of sensationlism.