Google Groups still leaking internal data

Last July, we told you how RedLock researchers discovered that many organisations using Google Workspace had unintentionally exposed internal emails via misconfiguring their Google Groups settings. Unfortunately, almost 12 months later, it seems that Google Workspace administrators are still using misconfigured Google Groups exposing personal and confidential information to the public Internet.

This month, Kenna Security Research Team reported in their blog that 9600 organisations have public Google Groups settings and 31% are currently leaking sensitive e-mail information. This sample includes Fortune 500 organizations; Hospitals; Universities and Colleges; Newspapers and Television stations; and even US government agencies.

If publicly accessible, you may access your organization’s public listing at the following link: https://groups.google.com/a/[DOMAIN]/forum/#!forumsearch/

Anyone can check if their company has publicly listed Google Groups by following the link: https://groups.google.com/a/[DOMAIN]/forum/#!forum search/

As an administrator, you should also check your Google Workspace Google Groups settings via the Google Admin console. This should be set to “Private” – unless you’re explicitly using the Google Groups web interface as a forum.

Kenna Security reported their findings to Google who decided that this wasn’t considered a vulnerability and a “won’t fix” status was recorded. While this isn’t technically a vulnerability Google could make things a little clearer for it’s Google Workspace administrators, such as flagging public Google Groups. It also seems a UX/UI flaw to display the “dangerous” setting slightly bolder than the rest as administrators may think that they are the recommended default settings.