Researchers at RedLock, working within the Cloud Security Intelligence team, say they've discovered hundreds of organizations exposing sensitive data via Google Groups, pinning the cause on basic configuration issues.
"A customer-controlled configuration error in the Google Groups sharing settings has led to the exposure of sensitive data such as personally identifiable information (PII), including employee salary compensation details, sales pipeline data, customer passwords, names, email addresses and home addresses at hundreds of companies," an advisory shared with Salted Hash explains.
RedLock discovered the configuration problems by searching for publicly exposed groups within the top 1,000 most visited websites on Alexa. The situation appears to be a case of organizations choosing to make their groups "public on the internet" the company says. But the firms that they named in their advisory are just a small, random sample.
"I wouldn't say there's any method to how we picked these four, but these are names – generally – that most of us know. So, when our researchers were looking at the list, these are things that stood out and they said 'okay let's take a closer look, because we know these companies.', " said Varun Badhwar, CEO and co-founder of RedLock.
The companies listed by RedLock include:
When it came to initial reaction and contact, some of the companies RedLock spoke to were receptive and addressed the issue quickly. For others, contact was more difficult, as there was no real direct means to speak with someone in security, Badhwar said.
"It would be nice, if in this day and age, people had a good responsible disclosure policy on their website with an email alias. For some of these companies we're having to tweet them and say 'hey, have somebody contact us' or for some of them it's been LinkedIn messages to executives."
Of the firms named, Badhwar said that Freshworks Inc. was the easiest to contact, whereas SpotX was the hardest. For their part, Freshworks, Inc. fixed the issue in less than an hour and corrected all the permission problems.
Salted Hash reached out to SpotX, Fusion Media Group, and The Weather Company. In an email, The Weather Company said they have had no reports about the issues. But after sharing additional background with them, they confirmed IT teams were aware of the problem and it's being addressed. The other two companies were unresponsive. We'll update this story should they respond.
Configuration issues are a big deal, and while what RedLock has discovered isn't a sky falling situation, it's still something to take note of. After all, there isn't an IT manager or administrator working that will be okay with sensitive data being exposed. Given that third-party credentials were also exposed by some organizations discovered by RedLock, situations like this can also lead to additional problems. Google, for their part, has extensive configuration and security documentation for Google Groups.
Also, for some G Suite offerings, when data is being exposed to the public overall outside of the domain, Google will indicate this with visible warnings, the company explained. Moreover, G Suite Enterprise customers have DLP options available as well.
Download SafeUM — communicate privately, without advertising and spam.