Cloud

6/1/2018
02:02 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Google Groups Misconfiguration Exposes Corporate Data

Researchers say as many as 10,000 businesses are affected by a widespread misconfiguration in Google Groups settings.

A widespread Google Groups misconfiguration is causing businesses to leak corporate data. Administrators are urged to review their settings and check how many of their Google Groups mailing lists should be configured as public and indexed by Google.com.

Businesses using G Suite have access to Google Groups, a service integrated with corporate mailing lists that provides teams with discussion groups. Researchers at Kenna Security, along with KrebsOnSecurity, categorized thousands of businesses using public Google Groups to handle customer support and oftentimes exchange private enterprise information.

Admins can accidentally expose email list contents as a result of "complexity in terminology" and "organization-wide vs. group-specific permissions," Kenna researchers say. More than 9,600 institutions - including hospitals, universities, media companies, government agencies, and Fortune 500 organizations - have public Google Groups settings. Of these, researchers found 3,000 are currently leaking some form of sensitive email.

G Suite administrators can use Google Groups to create mailing lists for messages to specific people, researchers explain. Groups grow as more people are added, and the risk to businesses increases if those people can create public accounts on groups that are otherwise private. As a result, many businesses are unknowingly leaking data in their messaging lists, Krebs explains.

Google Groups are private by default, and settings can be adjusted on a domain and per-group basis. Many businesses have Groups visibility configured to "Public on the Internet." As a result, Google Groups can leak emails that should be private but are searchable on Google. This exposes passwords, financial data, and employee names, addresses, and email addresses.

It's not hard to pull this data, Krebs points out. In most cases, all you have to do is access an organization's public Google Groups page and enter the search terms of your choice: "password," "account," "HR," and "username" are all simple examples. Businesses commonly use Google Groups to store customer support emails, which often contain personal data.

But it's not just customer data at risk. Google Groups configured to Public can also leave corporate data and internal resources open to the Internet. Kenna's investigation unearthed real emails with GitHub credentials, password recovery, invoices, and suspension documents.

"Given the sensitive nature of this information, possible implications include spearphishing, account takeover, and a wide variety of case-specific fraud and abuse," Kenna reports.

The setting can be found by logging into https:// admins.google.com and searching "Groups Visibility." Unless your team requires some groups to be accessed by external users, Kenna recommends switching your domain-level Google Group settings to private. Researchers also advise checking individual group settings to determine they are properly configured.

If you want to know whether your data has been viewed by third parties, you can check the Google Groups feature that records the number of views for specific threats. It's worth noting that Kenna's investigation found this count is at zero for nearly all affected businesses, a sign that few, if any, users have used the interface - for either malicious or benign purposes.

Google has also provided guidance for adjusting Google Groups settings here.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Bluetooth Hack Affects Millions of Vehicles
Dark Reading Staff 11/16/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19406
PUBLISHED: 2018-11-21
kvm_pv_send_ipi in arch/x86/kvm/lapic.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where the apic map is uninitialized.
CVE-2018-19407
PUBLISHED: 2018-11-21
The vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized.
CVE-2018-19404
PUBLISHED: 2018-11-21
In YXcms 1.4.7, protected/apps/appmanage/controller/indexController.php allow remote authenticated Administrators to execute any PHP code by creating a ZIP archive containing a config.php file, hosting the .zip file at an external URL, and visiting index.php?r=appmanage/index/onlineinstall&url= ...
CVE-2018-19387
PUBLISHED: 2018-11-20
format_cb_pane_tabs in format.c in tmux 2.7 through 2.8 might allow attackers to cause a denial of service (NULL Pointer Dereference and application crash) by arranging for a malloc failure.
CVE-2018-19388
PUBLISHED: 2018-11-20
FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read, access violation, and application crash) via TIFF data because of a ConvertToPDF_x86!ReleaseFXURLToHtml issue.