Public Google Groups Leaking Sensitive Data at Thousands of Orgs

Thousands of organizations out there are leaking some form of sensitive email, according to an analysis, thanks to a widespread misconfiguration in Google Groups.

According to Kenna Security, the afflicted include Fortune 500 companies, hospitals, universities and colleges, newspapers and television stations and U.S. government agencies. Out of just one sample of 9,600 organizations with public Google Groups settings (out of 2.5 million examined domains), the Kenna team found that 31 percent of them (about 3,000) are exposing data. That means that the global footprint of affected organizations could total tens of thousands.

Google Groups is a web forum that’s part of Google’s G Suite of workspace tools. It allows an administrator to create mailing lists to send specific content to specific recipients via email; and at the same time, that content (including email attachments) is published on a web interface that’s made available online to users. The privacy settings can be adjusted on both a domain and a per-group basis. In affected organizations, the Groups visibility setting is configured to be “Public on the Internet,” and the options to share information outside of the organization have been – likely unwittingly – configured to be open.

“Due to complexity in terminology and organization-wide vs. group-specific permissions, it’s possible for list administrators to inadvertently expose email list contents,” Kenna researchers said, in a post Friday on the issue.

Google said that because it’s a misconfiguration issue, there are no plans to issue a specific mitigation for it. However, the search giant published its own post on the situation on Friday, explaining in detail how to lock down a Google Groups environment and reiterating its position on the shared responsibility model of cloud security.

“If you allow users in your domain create public Google Groups and give anyone in your domain the ability to create groups, you’re trusting your users to manage their settings and use these groups appropriately,” it said. “It’s worth carefully considering whether this configuration makes the most sense for your organization.”

The kind of information that’s being made available varies, but it includes everything from accounts payable and invoice data to customer support emails and password-recovery mails.

“Apart from exposing personal and financial data, misconfigured Google Groups accounts sometimes publicly index a tremendous amount of information about the organization itself, including links to employee manuals, staffing schedules, reports about outages and application bugs, as well as other internal resources,” said independent researcher Brian Krebs, who published his own examination of the problem on Friday. “In most cases, to find sensitive messages it’s enough to load the company’s public Google Groups page and start typing in key search terms, such as ‘password,’ ‘account,’ ‘HR,’ ‘accounting,’ ‘user name’ and ‘http:.’”

In a Boston College incident made public in April by the student newspaper, public Google Groups pages containing hundreds of university communications and associated documents with restricted, confidential or otherwise sensitive information were open to anyone who could access the BC G Suite, which includes all faculty and staff, and enrolled students.

“Given the sensitive nature of this information, possible implications include spear-phishing, account takeover and a wide variety of case-specific fraud and abuse,” the Kenna researchers said.

The good news is that no attacks have been spotted in the wild yet leveraging the situation, although the researchers said that “exploitation requires no special tooling or knowledge” even as Google Groups remain open.

G Suite administrators can protect themselves and their companies by checking their settings immediately (available at this link).

The misconfiguration has been a common reality for some time; last year, security firm Redlock published an advisory on the issue, although it wasn’t widely publicized.