One year after my domain name was stolen, Google’s Chris Evans has published a blog article reporting the theft as a phishing scheme, whereby the victim is tricked into sharing their email login details.
Several news stories referenced a domain theft from December 2007 that was incorrectly linked to a Gmail CSRF vulnerability. We did have a Gmail CSRF bug reported to us in September 2007 that we fixed worldwide within 24 hours of private disclosure of the bug details. Neither this bug nor any other Gmail bug was involved in the December 2007 domain theft.
I’m sure Chris meant November.
Google’s blog post came in response to the more recent theft of MakeUseOf.com. Aibek, the MakeUseOf owner, has subsequently, and thankfully, had his domain name returned.
I like to think I’m cautious enough not to open a strange .exe email attachment, nor enter my login details on a fake website, but if that’s what happened, so be it.
I do, however, find it a little odd that a thief would gain access to my Gmail account, then choose to add email forwarding filters rather than simply change my password, thus locking me out. I published what I believed happened in my previous Gmail hack article.
Regardless, I’m glad Aibek of MakeUsOf had his domain name returned, and that Google have publicly acknowledged the previous Gmail CSRF vulnerability, even if it is over a year after the incident.
Aibek and I are two of the lucky ones. Many other domain theft victims contact me asking for help. Sadly, there’s little I can do except refer them to my account of what happened.