Update on Thursday, October 8: Google Security has now contacted me, and has offered me a $x reward in a very Googley way. I have opted to donate the money to charity (Google has therefore doubled the reward amount). Please scroll to the bottom of the post to know more.

A strange thing happened at 1:20 AM Eastern Time on Tuesday, September 29. I was learning more about the Google Domains interface, and typed google.com and clicked search domains. To my surprise, Google.com was showing as available!

I clicked the add to cart icon beside the domain (which should not appear if the domain is not available for sale). The domain actually got added to my cart as seen by the green check-box, and the domain appeared in my cart.

I was hoping I would get an error at sometime saying transaction did not go through, but I was able to complete purchase, and my credit card was actually charged!

As soon as I completed purchase, I received two emails, one from sc-noreply@google.com, and one from wmt-noreply@google.com, which is not the norm when you book domains via Google Domains as I have booked new, previously un-registered domains before, and I have never received emails from the above aliases on booking the domains. I will not share the contents of the emails here given they relate to the Google.com domain. The domain also successfully appeared in my Google Domains order history.

Additionally, my Google Search Console (aka Google Webmaster Tools) was auto-updated with webmaster related messages for the Google.com domain which actually means ownership was transferred to me! One gets the below messages in Search Console only for those domains for which one is the verified admin/verified owner (of course access was removed when domain was taken back by Google).

Additionally, I started receiving notifications, for when ownership changed (along with new owner details etc.) in the Google Search Console for websites (I will not name them) that are powered by Google Sites (which makes sense given that websites powered by Google Sites rest on the master domain Google.com). Quite clearly, ownership had been granted to me. Order was successful.

Though purchase had successfully gone through, and domain now belonged to me as evident above, the purchase was followed by an order cancellation email from Google Domains. Google could do this given the registration service used by me (aka Google Domains) belonged to Google, unlike the 2003 event in which Microsoft forgot to renew their Hotmail UK domain which was registered with Nominet UK. As a result, the Hotmail UK domain was returned to the open market for pickup by anybody who fancied it. Somebody else picked it up, and as Microsoft wasn't the registrar themselves, Microsoft wasn't able to cancel the order, and take it back automatically. In my case, I don't know what caused Google to lose ownership of the domain Google.com as a result of which it was available in the open market.

The purchase got completed and the card was charged (which would not have happened unless I actually successfully completed checkout, as otherwise I would have received an error). The charge was not a pre-auth.

The order history page auto-updated itself with a new message (missed taking a screenshot when the canceled message was not appearing).

On searching again for the domain Google.com, it now finally shows as unavailable.

The Indian Prime Minister's visit to Facebook and Google to promote a digital India did work wonders. The very next day of his visit, it ended up convincing Google to sell what is perhaps their most prized possession to a person hailing from the small city of Mandvi in the Kutch region of the Indian Prime Minister's home state...albeit just for a minute or so :) Or maybe because I love Google to heart, and because I have always been a loyal Googler and Xoogler, reporting several vulnerabilities in the past which had gone unnoticed, some divine force decided to give me ownership for a minute or so :)

-----

Note: I have reported the incident to Google Security. Google has reverted, has acknowledged the incident, and is investigating into the incident.

Update on Thursday, October 8: Google Security has now contacted me, and has offered me a $x reward in a very Googley way. I wrote back and told them it was never about money, and asked that the money be donated to charity to the Art of Living India Foundation. They have replied and have stated that they understand and respect the fact that this was not about getting a reward. Despite that, given what they found, and how this was handled, they are "excited" to offer me a reward.



Per my request, they will now donate the reward amount (they have doubled the amount as it is now going to charity) to the Art of Living India foundation. I have chosen that the donation be made towards the Art of Living's education program which runs 404 free schools across 18 states of India, providing free education to more than 39,200 children in the slum, tribal and rural belts where child labor and poverty are widespread. The schools nurture the complete child, including body, mind and spirit.

In the interest of protecting Google, I do not wish to discuss the particulars of their final finding, and the reward amount.