News
Security Advisories

Google Groups Misconfiguration Security Advisory

RedLock CSI Team

07.24.17 9:00 AM

Google Groups Misconfiguration

The RedLock CSI team discovered hundreds of Google Groups that have publicly exposed messages containing sensitive information.

 

The Impact

The Google Groups misconfiguration has led to the exposure of sensitive data such as personally identifiable information (PII) at hundreds of organizations.

 

Background

Google Groups, a service that is a part of G Suite, allows organizations to create and participate in online forums and email-based groups. When configuring a Google Group, changing the sharing option for “Outside this domain - access to groups” enables you to make the messages public or private.

The RedLock Cloud Security Intelligence (CSI) team discovered that many organizations have accidentally set this field to “Public on the internet”, exposing messages containing sensitive information such as PII (name, email, home address, etc).

GoogleGroupsSetting.png

Figure 1: Set Sharing Option for Google Group to “Private”

 

Recommendations

Per Google Groups documentation, set the sharing setting for “Outside this domain - access to groups” to “private”.


Download a copy of the advisory here.