A new report claims a significant number of G Suite users misconfigured Google Groups settings and exposed sensitive...
data, but the research leaves unanswered questions about the extent of the issue.
According to Kenna Security research, there is a "widespread" Google Groups misconfiguration problem wherein Groups are set to public and are exposing potentially sensitive email data that could lead to "spearphishing, account takeover, and a wide variety of case-specific fraud and abuse." Last year, RedLock Cloud Security Intelligence also found Google Groups misconfiguration responsible for exposure of data from hundreds of accounts.
Kenna said it sampled 2.5 million top-level domains and found 9,637 public Google Groups. Of those public Groups, the researchers sampled 171 and determined 31% of those organizations "are currently leaking some form of sensitive email" with a confidence level of 90%.
"Extrapolating from the original sample, it's reasonable to assume that in total, over 10,000 organizations are currently inadvertently exposing sensitive information," Kenna wrote in its blog post. "The affected organizations including Fortune 500 organizations; Hospitals; Universities and Colleges; Newspapers and Television stations; Financial Organizations; and even U.S. government agencies."
For context, there are currently more than 3 million paid G Suite accounts and an unknown number of free G Suite accounts, and Kenna acknowledged via email that they "do not believe [they] tested the vast majority of G Suite enabled domains." Additionally, Google confirmed that Groups are set to private by default and an administrator would need to actively choose to make a Group public or allow other users to create public Groups.
It is unclear how many G Suite accounts are set to public, but a source close to the situation said the vast majority of Google Groups are set to private, and Google has sent out messages to users who may be affected with instructions on how to fix the Google Groups misconfiguration.
Specifics versus extrapolation
Kenna Security's research likened the Google Groups misconfiguration issue to the recent spate of Amazon Web Services (AWS) exposures where S3 buckets were accidentally left public.
"Ultimately, each organization is responsible for the configuration of their systems. However, there are steps that can be taken to ensure organizations can easily understand the public/private state for something as critical as internal email," a Kenna spokesperson wrote via email. "For example, when the AWS buckets leak occurred, AWS changed its UX, exposing a 'Public' badge on buckets and communicated proactively to owners of public buckets. In practice, public Google Group configurations require less effort to find than public S3 buckets, and often have more sensitive information exposed, due to the nature of email."
However, a major difference between the research from Kenna and that done by UpGuard in uncovering multiple public AWS buckets is in the details. Kenna is extrapolating from a sample to claim approximately 10,000 of 3 million Google Groups (0.3%) are misconfigured, and the examples of exposed emails reveal the potential for spear phishing attacks or fraud.
On the other hand, UpGuard specifically attributed the exposed data it found, including Republican National Committee voter rolls for 200 million individuals, info on 14 million Verizon customers, data scraped from LinkedIn and Facebook, and NSA files detailing military projects.
Alex Calic, chief strategy and revenue officer at The Media Trust, said Google "made the right call by making private the default setting."
"At the end of the day, companies are responsible for collaborating with their digital partners/vendors on improving and maintaining their security posture," Calic wrote via email. "This requires developing and sharing their policies on what information can be shared on workplace communication tools like Google Groups and who can access that information, keeping in mind that -- given how sophisticated hackers are becoming and the ever-present insider threat, whether an attack or negligence -- there is always some risk that the information will see the light of day."