Cloud

6/1/2018
02:02 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Google Groups Misconfiguration Exposes Corporate Data

Researchers say as many as 10,000 businesses are affected by a widespread misconfiguration in Google Groups settings.

A widespread Google Groups misconfiguration is causing businesses to leak corporate data. Administrators are urged to review their settings and check how many of their Google Groups mailing lists should be configured as public and indexed by Google.com.

Businesses using G Suite have access to Google Groups, a service integrated with corporate mailing lists that provides teams with discussion groups. Researchers at Kenna Security, along with KrebsOnSecurity, categorized thousands of businesses using public Google Groups to handle customer support and oftentimes exchange private enterprise information.

Admins can accidentally expose email list contents as a result of "complexity in terminology" and "organization-wide vs. group-specific permissions," Kenna researchers say. More than 9,600 institutions - including hospitals, universities, media companies, government agencies, and Fortune 500 organizations - have public Google Groups settings. Of these, researchers found 3,000 are currently leaking some form of sensitive email.

G Suite administrators can use Google Groups to create mailing lists for messages to specific people, researchers explain. Groups grow as more people are added, and the risk to businesses increases if those people can create public accounts on groups that are otherwise private. As a result, many businesses are unknowingly leaking data in their messaging lists, Krebs explains.

Google Groups are private by default, and settings can be adjusted on a domain and per-group basis. Many businesses have Groups visibility configured to "Public on the Internet." As a result, Google Groups can leak emails that should be private but are searchable on Google. This exposes passwords, financial data, and employee names, addresses, and email addresses.

It's not hard to pull this data, Krebs points out. In most cases, all you have to do is access an organization's public Google Groups page and enter the search terms of your choice: "password," "account," "HR," and "username" are all simple examples. Businesses commonly use Google Groups to store customer support emails, which often contain personal data.

But it's not just customer data at risk. Google Groups configured to Public can also leave corporate data and internal resources open to the Internet. Kenna's investigation unearthed real emails with GitHub credentials, password recovery, invoices, and suspension documents.

"Given the sensitive nature of this information, possible implications include spearphishing, account takeover, and a wide variety of case-specific fraud and abuse," Kenna reports.

The setting can be found by logging into https:// admins.google.com and searching "Groups Visibility." Unless your team requires some groups to be accessed by external users, Kenna recommends switching your domain-level Google Group settings to private. Researchers also advise checking individual group settings to determine they are properly configured.

If you want to know whether your data has been viewed by third parties, you can check the Google Groups feature that records the number of views for specific threats. It's worth noting that Kenna's investigation found this count is at zero for nearly all affected businesses, a sign that few, if any, users have used the interface - for either malicious or benign purposes.

Google has also provided guidance for adjusting Google Groups settings here.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Ways Greed Has a Negative Effect on Cybersecurity
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  6/11/2018
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12026
PUBLISHED: 2018-06-17
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in tur...
CVE-2018-12027
PUBLISHED: 2018-06-17
An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said ...
CVE-2018-12028
PUBLISHED: 2018-06-17
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an e...
CVE-2018-12029
PUBLISHED: 2018-06-17
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but befor...
CVE-2018-12071
PUBLISHED: 2018-06-17
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.