The RedLock CSI team discovered hundreds of Google Groups that have publicly exposed messages containing sensitive information.
The Google Groups misconfiguration has led to the exposure of sensitive data such as personally identifiable information (PII) at hundreds of organizations.
Google Groups, a service that is a part of G Suite, allows organizations to create and participate in online forums and email-based groups. When configuring a Google Group, changing the sharing option for “Outside this domain - access to groups” enables you to make the messages public or private.
The RedLock Cloud Security Intelligence (CSI) team discovered that many organizations have accidentally set this field to “Public on the internet”, exposing messages containing sensitive information such as PII (name, email, home address, etc).
Figure 1: Set Sharing Option for Google Group to “Private”
Per Google Groups documentation, set the sharing setting for “Outside this domain - access to groups” to “private”.
Download a copy of the advisory here.