A widespread misconfiguration in Google Groups is apparently leading to the leaking of significant amounts of sensitive data by thousands of organizations. According to cybersecurity firm Kenna Security, those affected by the misconfiguration include media organizations, hospitals, universities, colleges, Fortune 500 companies and even U.S.
government agencies. Apparently out of a sample of 9,600 organizations that have public Google Groups settings, 31% (around 3,000) are exposing some form of sensitive email information and/or data. This suggests that the global footprint of impacted organizations could equal tens of thousands.
In a blog post, Kenna Security details information about the misconfiguration along with action steps that can be taken to find and remedy it, along with an overview of the effects on those organizations that are impacted.
Organizations that are deploying Google’s G Suite are given access to its Google Groups product, a web forum integrated with an organization’s mailing lists. Due to “complexity in terminology and organization-wide vs. group-specific permissions”, list administrators can quite easily inadvertently expose email list contents through misconfiguring a Google Groups interface when setting up a mailing list. If a Group’s visibility setting is configured as “Public on the Internet”, the administrator has (likely unintentionally) allowed information to be shared outside of the organization.
Kenna Security contacted Google about the problem, but Google said they have no plans to
issue a specific mitigation for it as it’s a configuration rather than a programming issue. However, the search giant and technology company did post its own blog on the subject last week, acknowledging the problem and detailing how to secure a Google Groups environment.
Google explained that “by default, Google Groups are set to private; there have been a small number of instances, however, where customers have accidentally shared sensitive information as a result of misconfigured Google Groups privacy settings”.
Google also reiterated its position on the need for shared responsibility in cloud computing, and reminders users who create public Google Groups and give anyone in their domain the option to create groups, “you’re trusting your users to manage their settings and use these groups appropriately.” They added a note of caution, “It’s worth carefully considering whether this configuration makes the most sense for your organization.”
The type of information that is being made public is varied, including invoice data, customer support emails and password-recovery emails.
Cybersecurity researcher Brian Krebs published his own examination of the problem last week, highlighting the security dangers in the misconfiguration challenge. Krebs wrote, “In most cases, to find sensitive messages it’s enough to load the company’s public Google Groups page and start typing in key search terms, such as ‘password,’ ‘account,’ ‘HR,’ ‘accounting,’ ‘user name’ and ‘http:.’”
Both Krebs and Kenna Security stressed that unless groups need to be available to external users, it would be sensible to ensure that your domain-level Google Group settings are in the default “private” mode.