Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/1/2018
02:02 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Google Groups Misconfiguration Exposes Corporate Data

Researchers say as many as 10,000 businesses are affected by a widespread misconfiguration in Google Groups settings.

A widespread Google Groups misconfiguration is causing businesses to leak corporate data. Administrators are urged to review their settings and check how many of their Google Groups mailing lists should be configured as public and indexed by Google.com.

Businesses using G Suite have access to Google Groups, a service integrated with corporate mailing lists that provides teams with discussion groups. Researchers at Kenna Security, along with KrebsOnSecurity, categorized thousands of businesses using public Google Groups to handle customer support and oftentimes exchange private enterprise information.

Admins can accidentally expose email list contents as a result of "complexity in terminology" and "organization-wide vs. group-specific permissions," Kenna researchers say. More than 9,600 institutions - including hospitals, universities, media companies, government agencies, and Fortune 500 organizations - have public Google Groups settings. Of these, researchers found 3,000 are currently leaking some form of sensitive email.

G Suite administrators can use Google Groups to create mailing lists for messages to specific people, researchers explain. Groups grow as more people are added, and the risk to businesses increases if those people can create public accounts on groups that are otherwise private. As a result, many businesses are unknowingly leaking data in their messaging lists, Krebs explains.

Google Groups are private by default, and settings can be adjusted on a domain and per-group basis. Many businesses have Groups visibility configured to "Public on the Internet." As a result, Google Groups can leak emails that should be private but are searchable on Google. This exposes passwords, financial data, and employee names, addresses, and email addresses.

It's not hard to pull this data, Krebs points out. In most cases, all you have to do is access an organization's public Google Groups page and enter the search terms of your choice: "password," "account," "HR," and "username" are all simple examples. Businesses commonly use Google Groups to store customer support emails, which often contain personal data.

But it's not just customer data at risk. Google Groups configured to Public can also leave corporate data and internal resources open to the Internet. Kenna's investigation unearthed real emails with GitHub credentials, password recovery, invoices, and suspension documents.

"Given the sensitive nature of this information, possible implications include spearphishing, account takeover, and a wide variety of case-specific fraud and abuse," Kenna reports.

The setting can be found by logging into https:// admins.google.com and searching "Groups Visibility." Unless your team requires some groups to be accessed by external users, Kenna recommends switching your domain-level Google Group settings to private. Researchers also advise checking individual group settings to determine they are properly configured.

If you want to know whether your data has been viewed by third parties, you can check the Google Groups feature that records the number of views for specific threats. It's worth noting that Kenna's investigation found this count is at zero for nearly all affected businesses, a sign that few, if any, users have used the interface - for either malicious or benign purposes.

Google has also provided guidance for adjusting Google Groups settings here.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14248
PUBLISHED: 2019-07-24
In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.
CVE-2019-14249
PUBLISHED: 2019-07-24
dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows attackers to cause a denial of service (division by zero) via an ELF file with a zero-size section group (SHT_GROUP), as demonstrated by dwarfdump.
CVE-2019-14250
PUBLISHED: 2019-07-24
An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
CVE-2019-14247
PUBLISHED: 2019-07-24
The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file.
CVE-2019-2873
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...