Cloud

6/1/2018
02:02 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Google Groups Misconfiguration Exposes Corporate Data

Researchers say as many as 10,000 businesses are affected by a widespread misconfiguration in Google Groups settings.

A widespread Google Groups misconfiguration is causing businesses to leak corporate data. Administrators are urged to review their settings and check how many of their Google Groups mailing lists should be configured as public and indexed by Google.com.

Businesses using G Suite have access to Google Groups, a service integrated with corporate mailing lists that provides teams with discussion groups. Researchers at Kenna Security, along with KrebsOnSecurity, categorized thousands of businesses using public Google Groups to handle customer support and oftentimes exchange private enterprise information.

Admins can accidentally expose email list contents as a result of "complexity in terminology" and "organization-wide vs. group-specific permissions," Kenna researchers say. More than 9,600 institutions - including hospitals, universities, media companies, government agencies, and Fortune 500 organizations - have public Google Groups settings. Of these, researchers found 3,000 are currently leaking some form of sensitive email.

G Suite administrators can use Google Groups to create mailing lists for messages to specific people, researchers explain. Groups grow as more people are added, and the risk to businesses increases if those people can create public accounts on groups that are otherwise private. As a result, many businesses are unknowingly leaking data in their messaging lists, Krebs explains.

Google Groups are private by default, and settings can be adjusted on a domain and per-group basis. Many businesses have Groups visibility configured to "Public on the Internet." As a result, Google Groups can leak emails that should be private but are searchable on Google. This exposes passwords, financial data, and employee names, addresses, and email addresses.

It's not hard to pull this data, Krebs points out. In most cases, all you have to do is access an organization's public Google Groups page and enter the search terms of your choice: "password," "account," "HR," and "username" are all simple examples. Businesses commonly use Google Groups to store customer support emails, which often contain personal data.

But it's not just customer data at risk. Google Groups configured to Public can also leave corporate data and internal resources open to the Internet. Kenna's investigation unearthed real emails with GitHub credentials, password recovery, invoices, and suspension documents.

"Given the sensitive nature of this information, possible implications include spearphishing, account takeover, and a wide variety of case-specific fraud and abuse," Kenna reports.

The setting can be found by logging into https:// admins.google.com and searching "Groups Visibility." Unless your team requires some groups to be accessed by external users, Kenna recommends switching your domain-level Google Group settings to private. Researchers also advise checking individual group settings to determine they are properly configured.

If you want to know whether your data has been viewed by third parties, you can check the Google Groups feature that records the number of views for specific threats. It's worth noting that Kenna's investigation found this count is at zero for nearly all affected businesses, a sign that few, if any, users have used the interface - for either malicious or benign purposes.

Google has also provided guidance for adjusting Google Groups settings here.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.