Kenna Security in collaboration with KrebsOnSecurity has identified the presence of a ‘widespread misconfiguration’ in Google Groups, which is causing exposure of sensitive emails from thousands of organizations including some Fortune 500 companies.
Due to this misconfiguration, a variety of industries have been affected ranging from US government agencies, hospitals, and academic institutions to media organization from television stations and newspapers.
Kenna Security’s team analyzed only 9,600 organizations out of the 2.5 million domains examined (that utilized public Google Groups settings) and identified that about 3,000 or 31% of them were involved in leaking sensitive data. This means tens of thousands of organizations across the globe must be affected and confidential corporate data is being leaked.
The web forum Google Groups is actually part of G Suite, which is Google’s workspace tool. It lets web admins create mailing lists to email specific content to certain recipients while simultaneously publishing the content, which includes email attachments, on a public web interface and facilitating discussion groups.
Organizations that use G Suite can access Google Groups, which are set to be private by default, and web admins can adjust privacy settings on both per-group and admin levels.
What happens in case of misconfigured Google Groups forum is that the visibility setting is configured at “Public on the Internet” whereas the options of share information outside of the organization have mistakenly been set to be open.
Resultantly, emails that must remain private are leaked and remain searchable on the internet. The exposed information includes employee names, passwords, financial data, email addresses and physical addresses, etc.
Krebs, on the other hand, states that the data can be accessed easily by visiting a company’s public Google Groups page and entering a search term. It can be anything such as HR, username, password or account. Since Google Groups are used to store customer support emails, therefore, these mandatorily contain personal data of customers as well as corporate data and internal resources.
According to Kenna Security researchers, this accidental exposure of email list contents is caused by a ‘complexity in terminology’ and is quite widespread as it entails exposure of not only group-specific but organization-wide information as well.
The firm also identified authentic emails containing GitHub credentials, invoices, suspension documents and password recovery information. Given the sensitive nature of leaked data, it is quite possible that malicious threat actors would want to exploit the information. As noted by Kenna Security:
“Given the sensitive nature of this information, possible implications include spearphishing, account takeover, and a wide variety of case-specific fraud and abuse.”
The setting can be accessed by logging into https:// admins.google.com and searching for Groups Visibility. Kenna Security also identified that the number of views for specific threats is currently zero for almost all affected businesses, which means very few users, if any, have used the interface for nefarious purposes.
Nevertheless, researchers have urged that web admins need to revise Google Groups settings and set them to private. Also, they should reevaluate the number of their mailing lists on this forum that is to be arranged as public and be indexed by Google.com. The guidelines for adjusting Google Groups settings can be found here.
It is worth noting that Google has no plans at the moment to mitigate the threat because it is a misconfiguration flaw. Therefore, the company has issued details on how to secure access to a Google Groups environment and revise its status on the shared responsibility model.