Google warns against Groups configurations that reveal internal data

Google has again warned about Groups configurations that may allow organizations to divulge internal data. The reason is an investigation by a security company that found an estimated 3,000 organizations that leak internal data in this way.

In its warning, Google writes that organizations “in a small number of cases” inadvertently expose internal information by incorrectly configuring their Groups settings. For example, companies use Google Groups to create support mailing lists or facilitate internal discussions, according to the search giant. The warning follows an investigation by the security firm Kenna Security, which, together with journalist Brian Krebs, investigated unsafe configurations.

The company said it found 9,637 organizations that disclosed information through misconfigurations and estimates that a third of these organizations also leak sensitive information. For example, it found emails with financial information and login details. According to Kenna Security, the misconfigurations can be traced back to “complex language” and settings for the entire organization and specific groups. Due to their lack of clarity, administrators would sometimes inadvertently choose the wrong setting. In the cases investigated by the company, the group setting ‘public on the internet’ was chosen.

So it’s not about unsafe default settings, but about administrators choosing the wrong configuration. According to Krebs, in most cases it was enough to go to an organization’s Groups page and search for terms like “password,” “account,” and “username” to find sensitive data. This data would be useful to malicious parties, who can use it in targeted phishing attacks.

The attitude that Kenna says often goes wrong