Widespread Google Groups Misconfiguration Exposes Sensitive Information
A widespread misconfiguration in Google Groups for organizations utilizing G Suite was recently investigated and reported to Google by the Kenna Security Research Team. This blog post provides information about the misconfiguration, details on how to find and address it, and an overview of the impact on affected organizations.
Organizations utilizing G Suite are provided access to the Google Groups product, a web forum directly integrated with an organization’s mailing lists. Administrators may configure a Google Groups interface when creating a mailing list. Due to complexity in terminology and organization-wide vs group-specific permissions, it’s possible for list administrators to inadvertently expose email list contents. In practice, this affects a significant number of organizations
After realizing the potential for misconfiguration, the team began an investigation and performed a sampling of top domains, discovering over 9600 organizations with public Google Groups settings, and determining 31%, or 3000, of those organizations are currently leaking some form of sensitive email. Included are Fortune 500 organizations; Hospitals; Universities and Colleges; Newspapers and Television stations; and even US government agencies.
The team contacted Google early in the investigation and made attempts to contact the most critically affected organizations, however given the scope of the issue, many currently affected organizations remain exposed. The researchers are not currently aware of abuse of the functionality, however exploitation requires no special tooling or knowledge and G Suite administrators are urged to check their settings immediately, per the instructions below.
Google Groups allows a G Suite administrator to create mailing lists that deliver emails to specific recipients, but also will simultaneously provision a web interface associated with the mailing list, available to users at https://groups.google.com.
Individual Google Group privacy settings can be adjusted on both a domain and a per-group basis. In affected organizations, the Groups visibility setting, available by searching “Groups Visibility” after logging into https://admin.google.com, is configured to “Public on the Internet”.
Once this setting is enabled, options to share outside the organization become available to administrators. While they are not selected by default, affected organizations have configured them, presumably without understanding the implication. No warning is provided about the potential implications outside of the setting description.
How do I know if I’m affected?
If you’d like to check your own organization, you can browse to the configuration page by logging into G Suite as an administrator and typing “Settings for Groups for Business” or simply using this direct link. In almost all cases – unless you’re explicitly using the Google Groups web interface – this should be set to “Private”.
If publicly accessible, you may access your organization’s public listing at the following link: https://groups.google.com/a/[DOMAIN]/forum/#!forumsearch/
What If I’m affected?
First, unless you require some groups to be available to external users, turn your domain-level Google Group settings to default “Private” as detailed above. This will prevent new groups from being shared to anonymous users. Secondly, check the settings of individual groups to ensure that they’re configured as expected.
To determine if external parties have accessed information, Google Groups provides a feature that counts the number of “views” for a specific thread. In almost all sampled cases, this count is currently at zero for affected organizations, indicating that neither malicious nor regular users are utilizing the interface.
While investigating the issue, the team conducted a broad survey of 2.5 million domains, looking for configurations that were publicly exposed. After finding 9637 exposed organizations, the team utilized a random sample of 171 public organizations – enough to provide an affected count to a 90% confidence level. In doing so, the researchers determined that there were nearly 3000 leaking some form of sensitive data. Extrapolating from the original sample, it’s reasonable to assume that in total, over 10,000 organizations are currently inadvertently exposing sensitive information.
The affected organizations including Fortune 500 organizations; Hospitals; Universities and Colleges; Newspapers and Television stations; Financial Organizations; and even US government agencies.
To demonstrate the sensitivity of this kind of information, following are some examples of real emails found during the course of the investigation:
- Re: Document(s) for Review for Customer [REDACTED]. Group: Accounts Payable
- Re: URGENT: Past Due Invoice. Group: Accounts Payable
- Fw: Password Recovery. Group: Support
- GitHub credentials. Group: [REDACTED]
- Sandbox: Finish resetting your Salesforce password. Group: [REDACTED]
- RE: [REDACTED] Suspension Documents. Group: Risk and Fraud Management
Given the sensitive nature of this information, possible implications include spearphishing, account takeover, and a wide variety of case-specific fraud and abuse.
This is not the first public advisory on this issue. Last year, security firm Redlock published an advisory on their blog. It, or a slightly modified version of the issue in which authenticated, but unauthorized users can view sensitive content also appears to be the root cause of a data breach at Boston College earlier this year. The scale of the issue has not been discussed publicly until now.
The misconfiguration is in many ways reminiscent of the issues surrounding public AWS S3 buckets. In those cases, affected organizations (technically) have all the tools they need to prevent exposure of sensitive information and in many cases require this functionality to conduct business. However, sensitive data is occasionally inadvertently exposed. Similarly, when an organization’s Google Groups are misconfigured, internal mailing lists and their contents can become publicly accessible. In practice, public Google Group configurations require less effort to find than public S3 buckets, and often have more sensitive information exposed, due to the nature of email. It’s worth considering that AWS made UX changes, exposing a “Public” badge on buckets and communicated proactively to owners of public buckets.
This disclosure to Google isn’t considered a vulnerability so the disclosure ended with a “won’t fix” status, even after providing a listing of affected organizations. Upon request, Google provided an okay to publish the information contained within this post and has notified us that “it is always reviewing its products to help users make decisions that are appropriate for their organizations.”
Questions may be directed to firstname.lastname@example.org.