Widespread Google Group misconfigurations exposing sensitive data
Widespread Google Group misconfigurations exposing sensitive data

Kenna security researchers warn that widespread Google Group misconfigurations are exposing sensitive information.

Researchers conducted a broad survey of 2.5 million domains looking for configurations that were publicly exposed and after finding 9,637 exposed organisations, the team utilised a random sample of 171 public organisations to determine that there were nearly 3,000 domains leaking some form of sensitive data, according to a 1 June blog post.

Affected organisations included Fortune 500 organisations, hospitals, universities and colleges, newspapers, television stations, financial organisations, and even US government agencies.

As a result of the misconfiguration researchers found emails with subject lines including:

  • Re: Document(s) for Review for Customer [REDACTED]. Group: Accounts Payable
  • Re: URGENT: Past Due Invoice. Group: Accounts Payable
  • Fw: Password Recovery. Group: Support
  • GitHub credentials. Group: [REDACTED]
  • Sandbox: Finish resetting your Salesforce password. Group: [REDACTED]
  • RE: [REDACTED] Suspension Documents. Group: Risk and Fraud Management

Researchers have already contacted Google and made attempts to contact the most critically affected organisations, however, given the scope of the issue, many currently affected organisations remain exposed. 

Researchers warn that due to the complexity of terminology and organisation-wide vs group-specific permissions, it's possible for list administrators to inadvertently expose email list contents.

“Google Groups allows a G Suite administrator to create mailing lists that deliver emails to specific recipients, but also will simultaneously provision a web interface associated with the mailing list,” the report said.

“In affected organizations, the Groups visibility setting, available by searching “Groups Visibility” after logging into https://admin.google.com, is configured to “Public on the Internet”.”

This setting allow options to share outside the organisation and while they aren't selected by default, affected organisation have configured them, presumably without understanding the implications as no warning is provided about the potential implications outside of the setting description.

Organisations can check if they are effected by browsing the configuration page by logging into G Suite as an administrator and typing “Settings for Groups for Business” or by using this direct link provided by the researchers.

Those who are affected should turn their domain-level Google Group settings to default “Private” unless they require some groups to be available to external users to prevent new groups from being shared to anonymous users. Admins should also check the settings of individual groups to ensure that they're configured as expected.

Google also provides a feature that count the number of “views” for a specific thread to help those affected determine if external parties have accessed the sensitive data.

Researchers said they aren't' aware of this functionality being abused but added that exploitation requires no special tooling.

“Whether it's Amazon S3 buckets or, in this case, Google Groups, it's clear that companies are struggling,” Fred Kneip, chief executive officer at CyberGRX, told SC Media. “Even if your organisation has all of its cloud tools correctly configured in your own environment, there's still a chance that the companies you depend on to do business – third parties like vendors, contractors and partners – will fail to do so, and that can create a path to your data.”

Kneip added the information security posture of all third parties in an organisation's digital ecosystem must be measured, monitored and viewed as part of their extended ecosystem of responsibility.”

Alex Calic, chief strategy and revenue officer of The Media Trust, said organisations need to develop and enforce stringent rules around how sensitive information is shared as laws like the GDPR tighten around how personal information is collected and shared.

“Apart from the fact that the misconfiguration issue could have been easily avoided, another alarming issue with the Google Groups situation is that companies appear to be sharing highly sensitive information,” Calic said. “This is a symptom of the absence of robust policies - and processes to enforce them--to reduce companies' exposure to digital risks.

Calic went on to say that exercising vigilance is more important now than ever.