Site navigation

Google Groups Glitch Lets GSuite Leak Data

Ross Kelly

,

GSuite Data Leak

Research shows that vulnerabilities in Google Groups and GSuite are leaving companies exposed and leaking sensitive data.

An investigation conducted by researchers at cyber security company, Kenna Security, has revealed a widespread glitch in Google Groups resulting in potentially disastrous leaks of sensitive information for organisations using Google’s G Suite business platform.

Details of the investigation, published on the June 1st, highlight a significant portion of organisations using GSuite were leaking sensitive email information, with 31% of a sample of 9,600 organisations vulnerable.

Publicly Exposed

Organisations using GSuite are given access to Google Groups, a web forum platform integrated with an organisations mailing lists. Administrators at a specific company are able to configure a Google Groups interface when creating a mailing list, and this is where the problem lies. Kenna Security claims that due to the “complexity of terminology” and “organisation-wide vs groups specific permissions” it is possible for administrators to unknowingly expose email list contents.

Highly Exposed

While investigating the issue, researchers conducted a survey of over 2.5 million domains, searching for configurations that were publicly exposed. Upon finding 9637 exposed organisations the team utilised a what it describes as a “random sample” of 171 public organisations – this was enough to provide an affected count to a 90% confidence level.

In doing this, researchers established that over 3000 organisations, were leaking some form of sensitive data, including:

  • Fortune 500 companies
  • Hospitals
  • Universities and colleges
  • Media organisations
  • Financial Institutions
  • US Government agencies

Elaborating on its research, Kenna Security stated in a blog post that “it’s reasonable to assume that in total, over 10,000 organisations are currently inadvertently exposing sensitive information.”

Enterprise Data Planning in Financial Services event

Google Responds

Researchers say they contacted Google early on during their investigation and “made attempts to contact the most critically affected organisations”. On the company blog, however, it states that given the scope of the issue, “many currently affected organisations remain exposed”.

Additionally, researchers are not fully aware of the abuse of the functionality on G Suite, however pointed out that this exploitation requires no “special tooling” or knowledge. Kenna Security urges administrators to remain vigilant and to act on the advice presented by the investigation.

Ross Kelly

Staff Writer

Latest News

Data Protection Editor's Picks
Digital Transformation Events
Cybersecurity Editor's Picks
%d bloggers like this: