Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Privacy Technology

Thousands of Organizations Are Exposing Sensitive Data Via Google Groups Lists, Researchers Find (krebsonsecurity.com) 20

Brian Krebs reports: Google is reminding organizations to review how much of their Google Groups mailing lists should be public and indexed by Google.com. The notice was prompted in part by a review that KrebsOnSecurity undertook with several researchers who've been busy cataloging thousands of companies that are using public Google Groups lists to manage customer support and in some cases sensitive internal communications. Google Groups is a service from Google that provides discussion groups for people sharing common interests. Because of the organic way Google Groups tend to grow as more people are added to projects -- and perhaps given the ability to create public accounts on otherwise private groups -- a number of organizations with household names are leaking sensitive data in their message lists. Many Google Groups leak emails that should probably not be public but are nevertheless searchable on Google, including personal information such as passwords and financial data, and in many cases comprehensive lists of company employee names, addresses and emails. Google has outlined instructions on how to secure the discussion boards.
This discussion has been archived. No new comments can be posted.

Thousands of Organizations Are Exposing Sensitive Data Via Google Groups Lists, Researchers Find

Comments Filter:
  • "Google has outlined instructions on how to secure the discussion boards" from google...

  • Every other email service provider offers a way to create alias accounts that forward to specific mailboxes suck as invoices, info, billing, etc. G-Suite doesn't offer this basic functionality. Users that want this have to create a group and it isn't exactly straight forward on how to do it.

    • by Anonymous Coward

      Ummm.... I have a dozen G-Suite domains... they all support simple alias accounts. You don't create an "alias account" and then point it to an account to forward to, you go into the account to forward to and create an alias for it. Aliases are free and work exactly how you're describing. You could even add filter rules for messages sent to the alias to also forward to many other accounts. You don't need a group.

      • Forwarding through a gmail account is very unfriendly from an IT admin side. It requires an authorization step on the recipient side, and is then managed outside of the GSuite Admin Interface.

        The default settings for google groups are either wide-open or overly locked down. Internally, we have a step-by-step guide we follow every time we create one to make sure we don't miss permissions and expose data publicly.
      • While it's true that G-Suite's current alias (nickname) feature is exactly what he's describing, what I think he means is that G-Suite does not have a simple method for creating either a distribution list or a shared mailbox.

        If I recall correctly, the Groups product was adapted to fill this hole in the Gmail functionality when Google Apps for Business was created. Unfortunately it was never really brought up to feature parity with what an exchange admin expects to be able to do.

  • Configuring settings for groups is horrible. There are a whole bunch of settings, which do not really align with google's recommendations. And there is also no option to check if any of the groups which exist are readable from the "internet". You have to check every single group, and then 4 different sections, etc.

I've noticed several design suggestions in your code.

Working...