Kenna security researchers warn that widespread Google Group misconfigurations are exposing sensitive information.
Researchers conducted a broad survey of 2.5 million domains looking for configurations that were publicly exposed and after finding 9,637 exposed organizations, the team utilized a random sample of 171 public organizations to determine that there were nearly 3,000 domains leaking some form of sensitive data, according to a June 1 blog post.
Affected organizations included Fortune 500 organizations, hospitals, universities and colleges, newspapers, television stations, financial organizations, and even US government agencies.
As a result of the misconfiguration researchers found emails with subject lines including:
Researchers have already contacted Google and made attempts to contact the most critically affected organizations, however, given the scope of the issue, many currently affected organizations remain exposed.
Researchers warn that due to the complexity of terminology and organization-wide vs group-specific permissions, it's possible for list administrators to inadvertently expose email list contents.
“Google Groups allows a G Suite administrator to create mailing lists that deliver emails to specific recipients, but also will simultaneously provision a web interface associated with the mailing list,” the report said.
“In affected organizations, the Groups visibility setting, available by searching “Groups Visibility” after logging into https://admin.google.com, is configured to “Public on the Internet”.”
This setting allow options to share outside the organization and while they aren't selected by default, affected organization have configured them, presumably without understanding the implications as no warning is provided about the potential implications outside of the setting description.
Organizations can check if they are effected by browsing the configuration page by logging into G Suite as an administrator and typing “Settings for Groups for Business” or by using this direct link provided by the researchers.
Those who are affected should turn their domain-level Google Group settings to default “Private” unless they require some groups to be available to external users to prevent new groups from being shared to anonymous users. Admins should also check the settings of individual groups to ensure that they're configured as expected.
Google also provides a feature that count the number of “views” for a specific thread to help those affected determine if external parties have accessed the sensitive data.
Researchers said they aren't' aware of this functionality being abused but added that exploitation requires no special tooling.
“Whether it's Amazon S3 buckets or, in this case, Google Groups, it's clear that companies are struggling,” Fred Kneip, chief executive officer at CyberGRX, told SC Media. “Even if your organization has all of its cloud tools correctly configured in your own environment, there's still a chance that the companies you depend on to do business – third parties like vendors, contractors and partners – will fail to do so, and that can create a path to your data.”
Kneip added the information security posture of all third parties in an organization's digital ecosystem must be measured, monitored and viewed as part of their extended ecosystem of responsibility.”
Alex Calic, chief strategy and revenue officer of The Media Trust, said organizations need to develop and enforce stringent rules around how sensitive information is shared as laws like the GDPR tighten around how personal information is collected and shared.
“Apart from the fact that the misconfiguration issue could have been easily avoided, another alarming issue with the Google Groups situation is that companies appear to be sharing highly sensitive information,” Calic said. “This is a symptom of the absence of robust policies--and processes to enforce them--to reduce companies' exposure to digital risks.
Calic went on to say that exercising vigilance is more important now than ever.