An investigation conducted by researchers at cyber security company, Kenna Security, has revealed a widespread glitch in Google Groups resulting in potentially disastrous leaks of sensitive information for organisations using Google’s G Suite business platform.
Details of the investigation, published on the June 1st, highlight a significant portion of organisations using GSuite were leaking sensitive email information, with 31% of a sample of 9,600 organisations vulnerable.
Organisations using GSuite are given access to Google Groups, a web forum platform integrated with an organisations mailing lists. Administrators at a specific company are able to configure a Google Groups interface when creating a mailing list, and this is where the problem lies. Kenna Security claims that due to the “complexity of terminology” and “organisation-wide vs groups specific permissions” it is possible for administrators to unknowingly expose email list contents.
While investigating the issue, researchers conducted a survey of over 2.5 million domains, searching for configurations that were publicly exposed. Upon finding 9637 exposed organisations the team utilised a what it describes as a “random sample” of 171 public organisations – this was enough to provide an affected count to a 90% confidence level.
In doing this, researchers established that over 3000 organisations, were leaking some form of sensitive data, including:
- Fortune 500 companies
- Universities and colleges
- Media organisations
- Financial Institutions
- US Government agencies
Elaborating on its research, Kenna Security stated in a blog post that “it’s reasonable to assume that in total, over 10,000 organisations are currently inadvertently exposing sensitive information.”
Researchers say they contacted Google early on during their investigation and “made attempts to contact the most critically affected organisations”. On the company blog, however, it states that given the scope of the issue, “many currently affected organisations remain exposed”.
Additionally, researchers are not fully aware of the abuse of the functionality on G Suite, however pointed out that this exploitation requires no “special tooling” or knowledge. Kenna Security urges administrators to remain vigilant and to act on the advice presented by the investigation.