While researching the Google Domains interface, Ved entered ‘Google.com’ and clicked ‘search’. To his surprise, Google.com was available. He added it to his cart and completed the purchase, expecting to receive an error message at any time.
Instead, the transaction went through successfully, and his credit card was charged. As soon as he completed the purchase, he received two confirmation emails (one from email@example.com and one from firstname.lastname@example.org), and the new domain appeared in his Google Domains order history.
Additionally, Ved started receiving change-of-ownership notifications for websites that are powered by Google Sites (because Google Sites websites reside on the master domain Google.com).
However, Ved’s access was cancelled shortly afterwards, when administrators realised the error. Google was able to do this because the registration service (Google Domains) is also owned by Google.
Google Security then contacted Ved and offered him a reward for exposing the loophole in their system. Ved opted to instead donate the reward money to a charity organisation – the Art of Living India Foundation (and Google doubled the reward in response).
The Foundation’s education program runs schools across India, providing free education to more than 39,200 children in the slum, tribal and rural belts where poverty and child labour are commonplace.
Ved says his actions weren’t motivated by money and he’s not interested in profiting financially from the episode.
“I don’t care about the money. It was never about the money,” said Ved. “I also want to set an example that it’s people who want to find bugs that it’s not always about the money.”
In the interest of protecting Google, Ved has chosen not to discuss the outcome of Google’s investigation into the flaw, nor to reveal the size of the reward.
A similar incident affected Microsoft in 2003, when the software giant forgot to renew its Hotmail.uk domain. The domain was returned to the open market and picked up by a third party. On that occasion, since Microsoft wasn’t the registrar, they were unable to automatically revoke the order.