Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thousands of Organizations Are Exposing Sensitive Data Via Google Groups Lists, Researchers Find (krebsonsecurity.com)

Posted by msmash on from the privacy-woes dept.

Brian Krebs reports: Google is reminding organizations to review how much of their Google Groups mailing lists should be public and indexed by Google.com. The notice was prompted in part by a review that KrebsOnSecurity undertook with several researchers who've been busy cataloging thousands of companies that are using public Google Groups lists to manage customer support and in some cases sensitive internal communications. Google Groups is a service from Google that provides discussion groups for people sharing common interests. Because of the organic way Google Groups tend to grow as more people are added to projects -- and perhaps given the ability to create public accounts on otherwise private groups -- a number of organizations with household names are leaking sensitive data in their message lists. Many Google Groups leak emails that should probably not be public but are nevertheless searchable on Google, including personal information such as passwords and financial data, and in many cases comprehensive lists of company employee names, addresses and emails. Google has outlined instructions on how to secure the discussion boards.

20 comments

  1. Google groups is nachoDaddy's USENET by Anonymous Coward · · Score: 0

    No, it is not the USENET of old. So get ready to bail out, before too many secrets get leaked.

  2. Re:But that isnt all thats exposed by Anonymous Coward · · Score: 0

    No thanks, Castro fag.

  3. I miss USENET by Anonymous Coward · · Score: 0

    And I really do hate what google did to deja news. What a bunch of utter tossers.

    1. Re:I miss USENET by antdude · · Score: 1

      Um, usenet is still alive for some people. I'm on it right now!

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    2. Re:I miss USENET by jtgd · · Score: 1

      Those were the good ol' days. I liked groups like sci.crypt and comp.compression where smart guys hung out and some good information could be had. After usenet died they all went.... who knows where. Scattered to the four corners of the internet. Sure there might be web sites where the info can be found, but there's a lot to be said for having one place to go.

      --
      J
    3. Re:I miss USENET by pnutjam · · Score: 1

      dude, I know your old, but this is slashdot... you must be getting confused.
      ;)

      --
      Cheap storage VM.
    4. Re:I miss USENET by antdude · · Score: 1

      My old what, whippersnapper? :P

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  4. nice by zlives · · Score: 1

    "Google has outlined instructions on how to secure the discussion boards" from google...

    1. Re:nice by Anonymous Coward · · Score: 0

      Well, from GoogleBot. Google staff can keep on reading your private documents and mail.

  5. Everybody move to the cloud! by Anonymous Coward · · Score: 0

    Go to the cloud!
    It's more secure and safer than your own server!
    Google experts know more about security than anyone you could afford to hire!!!

    CLOUD! CLOUD! CLOUD!
    CLLOOOOOOOUUUUUUUUUDDDD!

    Fucking idiots.

  6. G-Suite is lacking basic alias forwarding by mea_culpa · · Score: 1

    Every other email service provider offers a way to create alias accounts that forward to specific mailboxes suck as invoices, info, billing, etc. G-Suite doesn't offer this basic functionality. Users that want this have to create a group and it isn't exactly straight forward on how to do it.

    1. Re:G-Suite is lacking basic alias forwarding by Anonymous Coward · · Score: 1

      Ummm.... I have a dozen G-Suite domains... they all support simple alias accounts. You don't create an "alias account" and then point it to an account to forward to, you go into the account to forward to and create an alias for it. Aliases are free and work exactly how you're describing. You could even add filter rules for messages sent to the alias to also forward to many other accounts. You don't need a group.

    2. Re:G-Suite is lacking basic alias forwarding by asdfman2000 · · Score: 1

      Forwarding through a gmail account is very unfriendly from an IT admin side. It requires an authorization step on the recipient side, and is then managed outside of the GSuite Admin Interface.

      The default settings for google groups are either wide-open or overly locked down. Internally, we have a step-by-step guide we follow every time we create one to make sure we don't miss permissions and expose data publicly.

    3. Re:G-Suite is lacking basic alias forwarding by SantiagoMcRib · · Score: 1

      While it's true that G-Suite's current alias (nickname) feature is exactly what he's describing, what I think he means is that G-Suite does not have a simple method for creating either a distribution list or a shared mailbox.

      If I recall correctly, the Groups product was adapted to fill this hole in the Gmail functionality when Google Apps for Business was created. Unfortunately it was never really brought up to feature parity with what an exchange admin expects to be able to do.

    4. Re:G-Suite is lacking basic alias forwarding by Anonymous Coward · · Score: 0

      It is exactly this. The geniuses at Google don't think it's necessary to add features that EVERY FUCKING EMAIL SERVICE PROVIDER SUPPORTS. So to do something as simple as set up a forward for a single address to, say, 3 others, you have to create a group. It is COMPLETELY ASININE. Even worse is that the settings are a complete cluster fuck, so trying to properly configure a group often leads to the merging of your forehead and your keyboard.

      Fuck you Google, FUCK YOU VERY MUCH.

      FYI, this has been the functionality from the start, even before Google Apps for Business. The only thing that changed with Google Apps for Business was that the groups were set to private by default.

    5. Re:G-Suite is lacking basic alias forwarding by zenbi · · Score: 1

      Having experience with the admin interfaces for both Google Apps for Business and for Microsoft's Outlook/Office accounts, I very much prefer the Google versions. The Google interface makes far more sense and is more responsive, while the Microsoft's is excruciatingly slow and looks like it was thrown together by a group of CS 101 students.

    6. Re:G-Suite is lacking basic alias forwarding by Anonymous Coward · · Score: 0

      You're comparing shit to puke. Neither are desirable, you're just choosing the more tolerable of the two.

      By the way, Microsoft at least supports simple forwarding.

  7. because OAuth 2.0 is hard by Anonymous Coward · · Score: 0

    I've made lots of Google API projects for dealing with this info, and the OAuth 2.0 token stuff was very fragile. If you don't implement every possible error condition, you'll end up in a state unable to refresh the token, and the google account that is authenticating and keeping the data private will have to log back in and create new tokens. Google seems to intentionally throw errors a ton to keep you on your toes, and they constantly change the specs. After years of development, I think I've finally got a framework that is bulletproof. Most people are just going to say fuck it and just make things private and trust no one will find the URL. Same thing with Amazon S3 buckets.

  8. Google UI is terrible by El_Muerte_TDS · · Score: 1

    Configuring settings for groups is horrible. There are a whole bunch of settings, which do not really align with google's recommendations. And there is also no option to check if any of the groups which exist are readable from the "internet". You have to check every single group, and then 4 different sections, etc.