Is it just me?
I am trying to think of a situation where a sysadmin or an organisation would want that?
Bueller?
Anyone?
Anyone?
Bueller?
G Suite business users: go and check your configuration, and make sure you're not publishing enterprise information to the whole world. That's the warning coming from security outfit Redlock, which says it found “hundreds” of organisations leaking both organisational data and employees' personal data. As the biz's advisory …
Somewhat agree. While Google could not have made this anymore fool proof (the default setting is private, just don't click the radio button in the admin console to publish G plus content to the world... don't do anything and you're good), I can't imagine why anyone would want to publish their internal social info to the world... maybe there is a situation where someone would want to post data about an event or something to the internal group but also want to publish it to the world.
Actually, this looks like Google might have changed the default from internet, to private at some point, but not retro-actively.
I've just checked my gsuite account and sure enough, groups (that I don't use) are enabled to be published to the Internet; so this is almost certainly going to be the case for many more. Might be many more affected.
I've just done a quick test:
- G Suite Business Domain
- Groups for Business enabled
- Admin > Apps > G Suite > Settings for Groups for Business > Advanced settings
is set to
Outside this domain - access to groups
Public on the Internet - Anyone on the Internet can view, search, and post to groups
Created a new Group
- did NOT select <Also grant access to anyone on the Internet>
at creation time
- sent a message to the Group (from an internal account)
- Go to GROUPS app (as internal user with access)
- can see/access the message (as expected/intended)
- Go to GROUPS app/URL (as external)
i) Signed in to a G Suite account in another domain - no access, black bar bottom left of screen: "You do not have permission to access this content. (#418)"
ii) Incognito Window: same error as above.
My understanding:
the setting: Public on the Internet - Anyone on the Internet can view, search, and post to groups
enables/disables this option for a Admin or Group "Manager" to allow access from the Internet.
But unless/until they explicitly do this, these groups are NOT leaking data as suggested by the original report.
I'd be very happy to be corrected in any of the above if I've missed something/misinterpreted (been dumb!) :)
Steve.