Security researchers found hundreds of Google Groups with misconfigured access permissions, which could leave sensitive...
The RedLock Cloud Security Intelligence team found G Suite security settings for Google Groups were misconfigured by many customer organizations, leading to the exposure of personally identifiable information (PII).
"Google Groups, a service that is a part of G Suite, allows organizations to create and participate in online forums and email-based groups. When configuring a Google Group, changing the sharing option for 'Outside this domain -- access to groups' enables you to make the messages public or private," RedLock wrote in a blog post. "The RedLock Cloud Security Intelligence team discovered that many organizations have accidentally set this field to 'Public on the internet,' exposing messages containing sensitive information, [including] name, email, home address, etc."
Experts noted the similarities between the access permission misconfigurations for G Suite security and the recent issues on Amazon's Simple Storage Service (S3), which led to exposed data for a number of Amazon Web Services (AWS) users.
Scott Petry, co-founder and CEO of remote browser vendor Authentic8 Inc., based in Mountain View, Calif., said one commonality between AWS and the G Suite security issues was the "web-based interfaces might be too simplistic."
"With G Suite, the configuration dialogs are pretty explicit, but still the default options are binary -- public or private. The problem may extend beyond Groups to the full suite of collaborative apps," Petry told SearchSecurity. "In Groups, users are expected to set the access permissions for their own data when they share it. Admins can restrict this feature, but I'd imagine many have overlooked this configuration option."
Ken Spinner, vice president of field engineering at security software maker Varonis, based in New York, said the major difference is in what data RedLock found exposed by this G Suite security issue.
"Google Groups is a communications tool, and while it won't contain the terabytes of data that we've seen accidentally leak in the last couple of months from misconfigured Amazon S3 accounts, what information is exposed is likely to be of higher value to an attacker," Spinner told SearchSecurity. "Beyond the direct exposure of individuals' PII, I think the greater threat here is that malicious outsiders could mine the exposed information for passwords to leapfrog into other corporate systems or networks. Threat actors could also hunt for operational details that would let them craft more effective and targeted spear-phishing campaigns."
Petry said cloud providers like AWS and Google need to "do a better job of guiding users toward the proper configuration."
"It shouldn't be difficult to make the public option buried a little deeper in these config dialogs, and it may save some headaches. Pushing a report to admins outlining which data is shared publicly, while noisy, may help admins keep on top of the situation," Petry said. "There are audit and reporting options in G Suite for alerting on access permissions. But, like Amazon, they are buried in a sea of other reports and require explicit action by the admin."
Mike Shultz, CEO at cyber-risk management company Cybernance Corp., based in Bee Cave, Texas, said cloud services must provide better guidance or else issues like the misconfigured G Suite security permissions could lead businesses to "conclude the cloud is not a safe neighborhood for them."
"In the grand scheme of things, the cloud providers are going to need to provide more rigor around policy and process so that the move to the cloud will be risk-free and successful," Shultz told SearchSecurity. "It is clearly the responsibility of the company moving to the cloud to make sure that all of the proper security actions have been taken. Having said that, it's the cloud provider that has the long-term greater risk."
Spinner said it also "couldn't hurt" for Google to send a warning email similar to that which AWS sent to users with access permissions set to public.
"If someone accidentally opens the castle gates, they should get fair warning that the enemy has a clear path inside," Spinner said. "I would also encourage anyone using an application like Google Groups to assign a privacy 'owner' [role] -- someone within the group who takes responsibility for ensuring that privacy is reviewed periodically to ensure that private information isn't leaked."
Learn how G Suite whitelisting of apps helps IT protect data.
Find out how Google has tried to improve phishing protection for G Suite users.
Get info on using Google KMS to control encryption keys in the cloud.