Configuration errors blamed for sensitive data exposed via Google Groups

PII, sales data, employee compensation details and more discovered online

Researchers at RedLock, working within the Cloud Security Intelligence team, say they've discovered hundreds of organizations exposing sensitive data via Google Groups, pinning the cause on basic configuration issues.

"A customer-controlled configuration error in the Google Groups sharing settings has led to the exposure of sensitive data such as personally identifiable information (PII), including employee salary compensation details, sales pipeline data, customer passwords, names, email addresses and home addresses at hundreds of companies," an advisory shared with Salted Hash explains.

RedLock discovered the configuration problems by searching for publicly exposed groups within the top 1,000 most visited websites on Alexa. The situation appears to be a case of organizations choosing to make their groups "public on the internet" the company says.

But the firms that they named in their advisory are just a small, random sample.

"I wouldn't say there's any method to how we picked these four, but these are names – generally – that most of us know. So, when our researchers were looking at the list, these are things that stood out and they said 'okay let's take a closer look, because we know these companies.', " said Varun Badhwar, CEO and co-founder of RedLock.

The companies listed by RedLock include:

  • The Weather Company - An IBM business that operates Weather underground, as well as weather.com

  • Fusion Media Group - A division of Univision Communications, and the parent company of Gizmodo, The Onion, Jezebel, Lifehacker, and more.

  • Freshworks - A cloud-based provider of helpdesk support software used by more than 100,000 organizations worldwide.

  • SpotX - A video ad platform that delivers ads to more than 600 million people per month.

When it came to initial reaction and contact, some of the companies RedLock spoke to were receptive and addressed the issue quickly. For others, contact was more difficult, as there was no real direct means to speak with someone in security, Badhwar said.

"It would be nice, if in this day and age, people had a good responsible disclosure policy on their website with an email alias. For some of these companies we're having to tweet them and say 'hey, have somebody contact us' or for some of them it's been LinkedIn messages to executives."

Of the firms named, Badhwar said that Freshworks Inc. was the easiest to contact, whereas SpotX was the hardest. For their part, Freshworks, Inc. fixed the issue in less than an hour and corrected all the permission problems.

Salted Hash reached out to SpotX, Fusion Media Group, and The Weather Company. In an email, The Weather Company said they have had no reports about the issues. But after sharing additional background with them, they confirmed IT teams were aware of the problem and it's being addressed.

The other two companies were unresponsive. We'll update this story should they respond.

Update:

SpotX sent the following statement.

"Our team has completed a very thorough audit of all of our Google Groups to ensure that our communications are tightly secure and we can confirm that all information that is not intended for public is indeed secured. In addition, we have updated our group creation requirements. We place the utmost importance on client, partner and employee data, and our team works hard to ensure all data is secure. We will continue to do so."

Perspective:

Configuration issues are a big deal, and while what RedLock has discovered isn't a sky falling situation, it's still something to take note of. After all, there isn't an IT manager or administrator working that will be okay with sensitive data being exposed.

Given that third-party credentials were also exposed by some organizations discovered by RedLock, situations like this can also lead to additional problems.

Google, for their part, has extensive configuration and security documentation for Google Groups.

Also, for some G Suite offerings, when data is being exposed to the public overall outside of the domain, Google will indicate this with visible warnings, the company explained. Moreover, G Suite Enterprise customers have DLP options available as well.

Copyright © 2017 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!