Sensitive internal data of over 10,000 firms likely leaked due to Google Groups misconfiguration
A misconfiguration in Google Groups is believed to have leaked the sensitive data of numerous organisations. Companies using G Suite are offered access to Google Groups, which is a web forum product that provides a common platform for groups to communicate and discuss topics.
According to security researchers at Kenna Security, over 10,000 organisations, including Fortune 500 companies, universities, hospitals, newspapers, television stations and even some US government agencies are leaking some form of sensitive data at the moment due to a widespread misconfiguration in Google Groups.
“While investigating the issue, the team conducted a broad survey of 2.5 million domains, looking for configurations that were publicly exposed,” Kenna security researchers wrote in a blog. “After finding 9637 exposed organizations, the team utilized a random sample of 171 public organizations – enough to provide an affected count to a 90% confidence level. In doing so, the researchers determined that there were nearly 3000 leaking some form of sensitive data.
“Extrapolating from the original sample, it’s reasonable to assume that in total, over 10,000 organizations are currently inadvertently exposing sensitive information.”
Although Google Groups are set to private by default, every group or domain can adjust the settings. In some cases, businesses have their group’s visibility configured to “public” on the internet, which in turn leads to sensitive data of the group being leaked. In other words, passwords, usernames, employee names, addresses, email addresses, company financial data and more could be exposed.
Although researchers at Kenna alerted Google as well as some of the most critically affected organisations, many organisations remain exposed. Meanwhile, researchers also warned that although they are unaware of any abuse of the misconfigured functionality as of yet, one would require no specific skills or tools to exploit the functionality.
According to a report by Brian Krebs, all one has to do to access sensitive messages is to type in a company’s public Google Groups page, and fill in search terms such as “password”, “accounting”, “username”, etc.
“Apart from exposing personal and financial data, misconfigured Google Groups accounts sometimes publicly index a tremendous amount of information about the organization itself, including links to employee manuals, staffing schedules, reports about outages and application bugs, as well as other internal resources,” Krebs noted.
Although Kenna security researchers notified Google about the issue, it was not considered to be a vulnerability. As a result, the disclosure ended up with a “won’t fix” status. In other words, despite the issue having been officially flagged, Google chose not to fix it, since it was not considered to be a vulnerability. However, Google approved Kenna’s request to notify the public about the issue, which resulted in the security firm publishing its blog.
“By default, Google Groups are set to private; there have been a small number of instances, however, where customers have accidentally shared sensitive information as a result of misconfigured Google Groups privacy settings,” Google said in a blog post.
However, organisations that have been inadvertently leaking data can stop the exposure by changing the domain settings back to private, which will not only prevent anyone outside the domain from accessing any of the groups, but also ensure that even if new groups are created, they will be set to private by default.
This is far from the first time that organisations have been affected by a cloud misconfiguration issue. Over the past few years, many high-profile organisations across the globe ended up inadvertently exposing sensitive and personal data, as a result of misconfigured Amazon Web Service (AWS) repositories. The string of breaches led to AWS making UX changes and adding a “public” badge on buckets, even alerting owners of public buckets.
However, in comparison of S3 buckets, researchers believe it is much simpler to find Google Group configurations. What is more, the nature of data exposed is also considered to be more serious given the nature of email. Given the value of the information contained within Google Groups, it is imperative that organisations pay particular attention to configure their groups’ settings to private, to avoid inadvertent data leaks.