G Suite admins need to RTFM – thousands expose internal emails
The manual is confusing, to be fair, but a third of users read it wrong and are dangling data
If you're sysadmin of an organisation using Google Groups and G Suite, you need to revisit your configuration to make sure you aren't leaking internal information.
That advice comes from Kenna Security, which on June 1 said it found 31 per cent of a sample of 9,600 organisations leaking sensitive e-mail information.
The company explained while previous advisories about the issue (such as this from 2017) have explained how G Suite can leak, sysadmins appear not to be taking the matter seriously.
The problem, Kenna said in its post, is that Google Groups, available to G Suite customers, has “complex terminology” and a clash between “organisation-wide vs group-specific permissions”. As a result, list admins can “inadvertently expose e-mail list contents” (which were meant to stay in-house).
That's because when a G Suite admin creates a Groups mailing list for specific recipients, it configures a user-accessible Web interface for the list at https://groups.google.com. Either per-domain or per-group privacy settings are adjustable, and the post said the misconfiguration happens when Groups Visibility is configured to “Public on the Internet”.
“If publicly accessible, you may access your organization’s public listing at the following link: https://groups.google.com/a/[DOMAIN]/forum/#!forumsearch/”
If the group is meant to be internal to the company, the Google Group setting should be private.
And, as Kenna continued, the things shared on groups people believe to be private included customer reviews, invoices payable, password recovery / reset e-mails, and more.
The company said it found everything from government agencies down leaking information – among them Fortune 500 companies, hospitals, universities, newspapers and TV stations. Exploiting the vulnerability doesn't need any “special tooling or knowledge”, the post added.
“The misconfiguration is in many ways reminiscent of the issues surrounding public AWS S3 buckets”, Kenna noted.
Because it's a configuration issue, Google doesn't consider it a vulnerability to be fixed. Admins: RTFM. ®