Intigriti - Hack Hub
  • Misconfig Mapper Docs
    • Introduction
    • Supported Services
    • CLI Tool
    • Contributing
  • Services
    • GraphQL
      • GraphQL Introspection Query Enabled
    • Symfony PHP
      • Symfony Profiler Enabled
    • Postman API Platform
      • Public Workspaces
    • Salesforce
      • Salesforce Lightning Aura Components Enabled
    • Trello
      • View Permissions on Trello Boards
    • Figma
      • View access misconfiguration
    • Freshworks Freshservice
      • Open User Registration
    • Slack
      • No Admin Approval for Invitations
    • Atlassian Bitbucket
      • Publicly Accessible Private Repositories
    • Atlassian Confluence
      • Anonymous access to Remote API
      • Disabled XSRF Protection
      • User Email Visibility
      • Misconfigured Spaces
    • Atlassian Jira
      • Open User Registration
      • Atlassian Jira Email Visibility
      • Atlassian Jira Service Desk Open Signups
    • AWS S3
      • Misconfigured List Permissions
    • Cloudflare R2
      • R2.DEV Enabled
    • Google Groups
      • Misconfigured read permissions
    • Google Docs
      • Misconfigured read permissions
    • Google Cloud Storage Bucket
      • Misconfigured access controls
    • Google OAuth
      • Unrestricted email domains
    • Jenkins
      • Open Signups
      • Public Groovy Script Console
    • GitLab
      • Gitlab Private Source Code Snippets Exposed
    • Drupal
      • Drupal Nodes with Misconfigured Access Controls
    • Laravel
      • Debug Mode Enabled
      • Laravel Telescope Enabled In Production
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Services
  2. Google Groups

Misconfigured read permissions

PreviousGoogle GroupsNextGoogle Docs

Last updated 1 year ago

Was this helpful?

Description:

Google Groups can serve as a public forum to bring up issues or other company or organisation-related news to members but can also be used for internal use only. These permissions can be misconfigured and it's always recommended to check if the company you're targeting has a private Google Group setup that has misconfigured access control settings.

Testing:

You can easily do so by using search filters that search engines like Google provides:

site:groups.google.com "{companyName}"

Remediation:

It is always recommended to make sure that in case your Google Group is intended for a select few members only, to properly set your privacy settings.

When, for instance, you create a group, the second step prompts you to select Privacy settings. Make sure to revise your options before unintentionally making changes that could introduce a new attack vector.

Potential Impact:

Misconfigured Google Groups permissions can lead to several other issues within the organization. Especially if sensitive data is exchanged on non-private (without the members knowledge) fora.

References:

https://workspaceupdates.googleblog.com/2018/06/configure-your-google-groups-settings.html
Choose privacy settings for a new Google Group