back to article Fat-fingered G Suite admins spill internal biz beans onto public 'net

G Suite business users: go and check your configuration, and make sure you're not publishing enterprise information to the whole world. That's the warning coming from security outfit Redlock, which says it found “hundreds” of organisations leaking both organisational data and employees' personal data. As the biz's advisory …

  1. RudderLessIT

    Is it just me?

    I am trying to think of a situation where a sysadmin or an organisation would want that?

    Bueller?

    Anyone?

    Anyone?

    Bueller?

    1. Anonymous Coward
      Anonymous Coward

      Re: Is it just me?

      Somewhat agree. While Google could not have made this anymore fool proof (the default setting is private, just don't click the radio button in the admin console to publish G plus content to the world... don't do anything and you're good), I can't imagine why anyone would want to publish their internal social info to the world... maybe there is a situation where someone would want to post data about an event or something to the internal group but also want to publish it to the world.

  2. Anonymous Coward
    Anonymous Coward

    Actually, this looks like Google might have changed the default from internet, to private at some point, but not retro-actively.

    I've just checked my gsuite account and sure enough, groups (that I don't use) are enabled to be published to the Internet; so this is almost certainly going to be the case for many more. Might be many more affected.

    1. Dan 55 Silver badge

      Google should send out an email giving a week's notice then make it private for everyone. If admins need it to be public they'll find the option, unlike the other way around.

  3. Steve G Suite Admin

    Misunderstood as reported, GfB NOT open to Internet by default.

    I've just done a quick test:

    - G Suite Business Domain

    - Groups for Business enabled

    - Admin > Apps > G Suite > Settings for Groups for Business > Advanced settings

    is set to

    Outside this domain - access to groups

    Public on the Internet - Anyone on the Internet can view, search, and post to groups

    Created a new Group

    - did NOT select <Also grant access to anyone on the Internet>

    at creation time

    - sent a message to the Group (from an internal account)

    - Go to GROUPS app (as internal user with access)

    - can see/access the message (as expected/intended)

    - Go to GROUPS app/URL (as external)

    i) Signed in to a G Suite account in another domain - no access, black bar bottom left of screen: "You do not have permission to access this content. (#418)"

    ii) Incognito Window: same error as above.

    My understanding:

    the setting: Public on the Internet - Anyone on the Internet can view, search, and post to groups

    enables/disables this option for a Admin or Group "Manager" to allow access from the Internet.

    But unless/until they explicitly do this, these groups are NOT leaking data as suggested by the original report.

    I'd be very happy to be corrected in any of the above if I've missed something/misinterpreted (been dumb!) :)

    Steve.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Steve G Suite Admin

      Hi - we reported what Redlock was trying to warn everyone: that some people have set up their accounts incorrectly, and you should make sure you're not making the same mistake. We've updated the story with a note from Google explaining this.

      C.

  4. Mark 65

    Chances are if so many are getting it wrong it is either not obvious or has the wrong default value.

    1. Solarflare
      Devil

      Or the wrong people are in charge of setting it up

      1. Anonymous Coward
        Anonymous Coward

        Agree, you would be surprised what people manage to mess up.

  5. Stevie

    Bah!

    Suggests to this former UI designer that the radio button in question is not perhaps as clear on what it does and is set unhelpfully by default.

  6. John Smith 19 Gold badge
    Unhappy

    Or just don't host your apps on a clod?

    But I suspect what others have said. That Google have (quietly) changed the default to what it should have been all along.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like