Supreme Court: Police Need Warrant for Mobile Location Data

June 22, 2018
24 Comments

The U.S. Supreme Court today ruled that the government needs to obtain a court-ordered warrant to gather location data on mobile device users. The decision is a major development for privacy rights, but experts say it may have limited bearing on the selling of real-time customer location data by the wireless carriers to third-party companies.

Image: Wikipedia.

At issue is Carpenter v. United States, which challenged a legal theory the Supreme Court outlined more than 40 years ago known as the “third-party doctrine.” The doctrine holds that people who voluntarily give information to third parties — such as banks, phone companies, email providers or Internet service providers (ISPs) — have “no reasonable expectation of privacy.”

That framework in recent years has been interpreted to allow police and federal investigators to obtain information — such as mobile location data — from third parties without a warrant. But in a 5-4 ruling issued today that flies in the face of the third-party doctrine, the Supreme Court cited “seismic shifts in digital technology” allowing wireless carriers to collect “deeply revealing” information about mobile users that should be protected by the 4th Amendment to the U.S. Constitution, which is intended to shield Americans against unreasonable searches and seizures by the government.

Amy Howe, a reporter for SCOTUSblog.com, writes that the decision means police will generally need to get a warrant to obtain cell-site location information, a record of the cell towers (or other sites) with which a cellphone connected.

The ruling is no doubt a big win for privacy advocates, but many readers have been asking whether this case has any bearing on the sharing or selling of real-time customer location data by the mobile providers to third party companies. Last month, The New York times revealed that a company called Securus Technologies had been selling this highly sensitive real-time location information to local police forces across the United States, thanks to agreements the company had in place with the major mobile providers.

It soon emerged that Securus was getting its location data second-hand through a company called 3Cinteractive, which in turn was reselling data from California-based “location aggregator” LocationSmart. Roughly two weeks after The Times’ scoop, KrebsOnSecurity broke the news that anyone could look up the real time location data for virtually any phone number assigned by the major carriers, using a buggy try-before-you-buy demo page that LocationSmart had made available online for years to showcase its technology.

Since those scandals broke, LocationSmart disabled its promiscuous demo page. More importantly, AT&T, Sprint, T-Mobile and Verizon all have said they are now in the process of terminating agreements with third-parties to share this real-time location data.

Still, there is no law preventing the mobile providers from hashing out new deals to sell this data going forward, and many readers here have expressed concerns that the carriers can and eventually will do exactly that.

So the question is: Does today’s Supreme Court ruling have any bearing whatsoever on mobile providers sharing location data with private companies?

According to SCOTUSblog’s Howe, the answer is probably “no.”

“[Justice] Roberts emphasized that today’s ruling ‘is a narrow one’ that applies only to cell-site location records,” Howe writes. “He took pains to point out that the ruling did not ‘express a view on matters not before us’ – such as obtaining cell-site location records in real time, or getting information about all of the phones that connected to a particular tower at a particular time. He acknowledged that law-enforcement officials might still be able to obtain cell-site location records without a warrant in emergencies, to deal with ‘bomb threats, active shootings, and child abductions.'” Continue reading

AT&T, Sprint, Verizon to Stop Sharing Customer Location Data With Third Parties

June 19, 2018
38 Comments

In the wake of a scandal involving third-party companies leaking or selling precise, real-time location data on virtually all Americans who own a mobile phone, AT&T, Sprint and Verizon now say they are terminating location data sharing agreements with third parties.

At issue are companies known in the wireless industry as “location aggregators,” entities that manage requests for real-time customer location data for a variety of purposes, such as roadside assistance and emergency response. These aggregators are supposed to obtain customer consent before divulging such information, but several recent incidents show that this third-party trust model is fundamentally broken.

On May 10, 2018, The New York Times broke the story that a little-known data broker named Securus was selling local police forces around the country the ability to look up the precise location of any cell phone across all of the major U.S. mobile networks.

Then it emerged that Securus had been hacked, its database of hundreds of law enforcement officer usernames and passwords plundered. We also learned that Securus’ data was ultimately obtained from a company called 3Cinteractive, which in turn obtained its data through a California-based location tracking firm called LocationSmart.

On May 17, KrebsOnSecurity broke the news of research by Carnegie Mellon University PhD student Robert Xiao, who discovered that a LocationSmart try-before-you-buy opt-in demo of the company’s technology was wide open — allowing real-time lookups from anyone on anyone’s mobile device — without any sort of authentication, consent or authorization.

LocationSmart disabled its demo page shortly after that story. By that time, Sen. Ron Wyden (D-Ore.) had already sent letters to AT&T, Sprint, T-Mobile and Verizon, asking them to detail any agreements to share real-time customer location data with third-party data aggregation firms.

AT&T, T-Mobile and Verizon all said they had terminated data-sharing agreements with Securus. In a written response (PDF) to Sen. Wyden, Sprint declined to share any information about third-parties with which it may share customer location data, and it was the only one of the four carriers that didn’t say it was terminating any data-sharing agreements.

T-Mobile and Verizon each said they both share real-time customer data with two companies — LocationSmart and another firm called Zumigo, noting that these companies in turn provide services to a total of approximately 75 other customers.

Verizon emphasized that Zumigo — unlike LocationSmart — has never offered any kind of mobile location information demo service via its site. Nevertheless, Verizon said it had decided to terminate its current location aggregation arrangements with both LocationSmart and Zumigo.

“Verizon has notified these location aggregators that it intends to terminate their ability to access and use our customers’ location data as soon as possible,” wrote Karen Zacharia, Verizon’s chief privacy officer. “We recognize that location information can provide many pro-consumer benefits. But our review of our location aggregator program has led to a number of internal questions about how best to protect our customers’ data. We will not enter into new location aggregation arrangements unless and until we are comfortable that we can adequately protect our customers’ location data through technological advancements and/or other practices.”

In its response (PDF), AT&T made no mention of any other company besides Securus. AT&T indicated it had no intention to stop sharing real-time location data with third-parties, stating that “without an aggregator, there would be no practical and efficient method to facilitate requests across different carriers.”

Sen. Wyden issued a statement today calling on all wireless companies to follow Verizon’s lead.

“Verizon deserves credit for taking quick action to protect its customers’ privacy and security,” Wyden said. “After my investigation and follow-up reports revealed that middlemen are selling Americans’ location to the highest bidder without their consent, or making it available on insecure web portals, Verizon did the responsible thing and promptly announced it was cutting these companies off. In contrast, AT&T, T-Mobile, and Sprint seem content to continuing to sell their customers’ private information to these shady middle men, Americans’ privacy be damned.”

Update, 5:20 p.m. ET: Shortly after Verizon’s letter became public, AT&T and Sprint have now said they, too, will start terminating agreements to share customer location data with third parties.

“Based on our current internal review, Sprint is beginning the process of terminating its current contracts with data aggregators to whom we provide location data,” the company said in an emailed statement. “This will take some time in order to unwind services to consumers, such as roadside assistance and fraud prevention services. Sprint previously suspended all data sharing with LocationSmart on May 25, 2018. We are taking this further step to ensure that any instances of unauthorized location data sharing for purposes not approved by Sprint can be identified and prevented if location data is shared inappropriately by a participating company.”

AT&T today also issued a statement: “Our top priority is to protect our customers’ information, and, to that end, we will be ending our work with aggregators for these services as soon as practical in a way that preserves important, potential lifesaving services like emergency roadside assistance.”

KrebsOnSecurity asked T-Mobile if the company planned to follow suit, and was referred to a tweet today from T-Mobile CEO John Legere, who wrote: “I’ve personally evaluated this issue & have pledged that T-Mobile will not sell customer location data to shady middlemen.” In a follow-up statement shared by T-Mobile, the company said, “We ended all transmission of customer data to Securus and we are terminating our location aggregator agreements.

Continue reading

Advertisement

Google to Fix Location Data Leak in Google Home, Chromecast

June 18, 2018
40 Comments

Google in the coming weeks is expected to fix a location privacy leak in two of its most popular consumer products. New research shows that Web sites can run a simple script in the background that collects precise location data on people who have a Google Home or Chromecast device installed anywhere on their local network.

Craig Young, a researcher with security firm Tripwire, said he discovered an authentication weakness that leaks incredibly accurate location information about users of both the smart speaker and home assistant Google Home, and Chromecast, a small electronic device that makes it simple to stream TV shows, movies and games to a digital television or monitor.

Young said the attack works by asking the Google device for a list of nearby wireless networks and then sending that list to Google’s geolocation lookup services.

“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,” Young told KrebsOnSecurity. “The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.”

It is common for Web sites to keep a record of the numeric Internet Protocol (IP) address of all visitors, and those addresses can be used in combination with online geolocation tools to glean information about each visitor’s hometown or region. But this type of location information is often quite imprecise. In many cases, IP geolocation offers only a general idea of where the IP address may be based geographically.

This is typically not the case with Google’s geolocation data, which includes comprehensive maps of wireless network names around the world, linking each individual Wi-Fi network to a corresponding physical location. Armed with this data, Google can very often determine a user’s location to within a few feet (particularly in densely populated areas), by triangulating the user between several nearby mapped Wi-Fi access points. [Side note: Anyone who’d like to see this in action need only to turn off location data and remove the SIM card from a smart phone and see how well navigation apps like Google’s Waze can still figure out where you are].

“The difference between this and a basic IP geolocation is the level of precision,” Young said. “For example, if I geolocate my IP address right now, I get a location that is roughly 2 miles from my current location at work. For my home Internet connection, the IP geolocation is only accurate to about 3 miles. With my attack demo however, I’ve been consistently getting locations within about 10 meters of the device.”

Young said a demo he created (a video of which is below) is accurate enough that he can tell roughly how far apart his device in the kitchen is from another device in the basement.

“I’ve only tested this in three environments so far, but in each case the location corresponds to the right street address,” Young said. “The Wi-Fi based geolocation works by triangulating a position based on signal strengths to Wi-Fi access points with known locations based on reporting from people’s phones.”

Beyond leaking a Chromecast or Google Home user’s precise geographic location, this bug could help scammers make phishing and extortion attacks appear more realistic. Common scams like fake FBI or IRS warnings or threats to release compromising photos or expose some secret to friends and family could abuse Google’s location data to lend credibility to the fake warnings, Young notes.

“The implications of this are quite broad including the possibility for more effective blackmail or extortion campaigns,” he said. “Threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success.”

When Young first reached out to Google in May about his findings, the company replied by closing his bug report with a “Status: Won’t Fix (Intended Behavior)” message. But after being contacted by KrebsOnSecurity, Google changed its tune, saying it planned to ship an update to address the privacy leak in both devices. Currently, that update is slated to be released in mid-July 2018. Continue reading

Librarian Sues Equifax Over 2017 Data Breach, Wins $600

June 13, 2018
45 Comments

In the days following revelations last September that big-three consumer credit bureau Equifax had been hacked and relieved of personal data on nearly 150 million people, many Americans no doubt felt resigned and powerless to control their information. But not Jessamyn West. The 49-year-old librarian from a tiny town in Vermont took Equifax to court. And now she’s celebrating a small but symbolic victory after a small claims court awarded her $600 in damages stemming from the 2017 breach.

Vermont librarian Jessamyn West sued Equifax over its 2017 data breach and won $600 in small claims court. Others are following suit.

Just days after Equifax disclosed the breach, West filed a claim with the local Orange County, Vt. courthouse asking a judge to award her almost $5,000. She told the court that her mother had just died in July, and that it added to the work of sorting out her mom’s finances while trying to respond to having the entire family’s credit files potentially exposed to hackers and identity thieves.

The judge ultimately agreed, but awarded West just $690 ($90 to cover court fees and the rest intended to cover the cost of up to two years of payments to online identity theft protection services).

In an interview with KrebsOnSecurity, West said she’s feeling victorious even though the amount awarded is a drop in the bucket for Equifax, which reported more than $3.4 billion in revenue last year.

“The small claims case was a lot more about raising awareness,” said West, a librarian at the Randolph Technical Career Center who specializes in technology training and frequently conducts talks on privacy and security.

“I just wanted to change the conversation I was having with all my neighbors who were like, ‘Ugh, computers are hard, what can you do?’ to ‘Hey, here are some things you can do’,” she said. “A lot of people don’t feel they have agency around privacy and technology in general. This case was about having your own agency when companies don’t behave how they’re supposed to with our private information.”

West said she’s surprised more people aren’t following her example. After all, if just a tiny fraction of the 147 million Americans who had their Social Security number, date of birth, address and other personal data stolen in last year’s breach filed a claim and prevailed as West did, it could easily cost Equifax tens of millions of dollars in damages and legal fees.

“The paperwork to file the claim was a little irritating, but it only cost $90,” she said. “Then again, I could see how many people probably would see this as a lark, where there’s a pretty good chance you’re not going to see that money again, and for a lot of people that probably doesn’t really make things better.”

Equifax is currently the target of several class action lawsuits related to the 2017 breach disclosure, but there have been a few other minor victories in state small claims courts.

In January, data privacy enthusiast Christian Haigh wrote about winning an $8,000 judgment in small claims court against Equifax for its 2017 breach (the amount was reduced to $5,500 after Equifax appealed).

Haigh is co-founder of litigation finance startup Legalist. According to Inc.com, Haigh’s company has started funding other people’s small claims suits against Equifax, too. (Legalist pays lawyers in plaintiff’s suits on an hourly basis, and takes a contingency fee if the case is successful.)

Continue reading

Microsoft Patch Tuesday, June 2018 Edition

June 12, 2018
36 Comments

Microsoft today pushed out a bevy of software updates to fix more than four dozen security holes in Windows and related software. Almost a quarter of the vulnerabilities addressed in this month’s patch batch earned Microsoft’s “critical” rating, meaning malware or miscreants can exploit the flaws to break into vulnerable systems without any help from users.

Most of the critical fixes are in Microsoft browsers or browser components. One of the flaws, CVE-2018-8267, was publicly disclosed prior to today’s patch release, meaning attackers may have had a head start figuring out how to exploit the bug to attack Internet Explorer users.

According to Recorded Future, the most important patched vulnerability is a remote code execution vulnerability in the Windows Domain Name System (DNS), which is present in all versions of supported versions of Windows from Windows 7 to Windows 10 as well as all versions of Windows Server from 2008 to 2016.

“The vulnerability allows an attacker to send a maliciously crafted DNS packet to the victim machine from a DNS server, or even send spoofed DNS responses from attack box,” wrote Allan Liska, a threat intelligence analyst at Recorded Future. “Successful exploitation of this vulnerability could allow an attacker to take control of the target machine.”

Security vendor Qualys says mobile workstations that may connect to untrusted Wi-Fi networks are at high risk and this DNS patch should be a priority for them. Qualys also notes that Microsoft this month is shipping updates to mitigate another variant of the Spectre vulnerability in Intel machines.

And of course there are updates available to address the Adobe Flash Player vulnerability that is already being exploited in active attacks. Read more on that here. Continue reading

Bad .Men at .Work. Please Don’t .Click

June 11, 2018
79 Comments

Web site names ending in new top-level domains (TLDs) like .men, .work and .click are some of the riskiest and spammy-est on the Internet, according to experts who track such concentrations of badness online. Not that there still aren’t a whole mess of nasty .com, .net and .biz domains out there, but relative to their size (i.e. overall number of domains) these newer TLDs are far dicier to visit than most online destinations.

There are many sources for measuring domain reputation online, but one of the newest is The 10 Most Abused Top Level Domains list, run by Spamhaus.org. Currently at the #1 spot on the list (the worst) is .men: Spamhaus says of the 65,570 domains it has seen registered in the .men TLD, more than half (55 percent) were “bad.”

According to Spamhaus, a TLD may be “bad” because it is tied to spam or malware dissemination (or both). More specifically, the “badness” of a given TLD may be assigned in two ways:

“The ratio of bad to good domains may be higher than average, indicating that the registry could do a better job of enforcing policies and shunning abusers. Or, some TLDs with a high fraction of bad domains may be quite small, and their total number of bad domains could be relatively limited with respect to other, bigger TLDs. Their total “badness” to the Internet is limited by their small total size.”

More than 1,500 TLDs exist today, but hundreds of them were introduced in just the past few years. The nonprofit organization that runs the domain name space — the Internet Corporation for Assigned Names and Numbers (ICANN) — enabled the new TLDs in response to requests from advertisers and domain speculators — even though security experts warned that an onslaught of new, far cheaper TLDs would be a boon mainly to spammers and scammers.

And what a boon it has been. The newer TLDs are popular among spammers and scammers alike because domains in many of these TLDs can be had for pennies apiece. But not all of the TLDs on Spamhaus’ list are prized for being cheaper than generic TLDs (like .com, .net, etc.). The cheapest domains at half of Spamhaus’ top ten “baddest” TLDs go for prices between $6 and $14.50 per domain.

Still, domains in the remaining five Top Bad TLDs can be had for between 48 cents and a dollar each.

Security firm Symantec in March 2018 published its own Top 20 list of Shady TLDs:

Symantec’s “Top 20 Shady TLDs,” published in March 2018.

Spamhaus says TLD registries that allow registrars to sell high volumes of domains to professional spammers and malware operators in essence aid and abet the plague of abuse on the Internet.

“Some registrars and resellers knowingly sell high volumes of domains to these actors for profit, and many registries do not do enough to stop or limit this endless supply of domains,” Spamhaus’ World’s Most Abused TLDs page explains.

Namecheap, a Phoenix, Ariz. based domain name registrar that in Oct. 2017 was the fourth-largest registrar, currently offers by a wide margin the lowest registration prices for three out of 10 of Spamhaus’ baddest TLDs, selling most for less than 50 cents each.

Namecheap also is by far the cheapest registrar for 11 of Symantec’s Top 20 Shady New TLDs: Namecheap is easily the least expensive registrar to secure a domain in 11 of the Top 20, including .date, .trade, .review, .party, .loan, .kim, .bid, .win, .racing, .download and .stream. Continue reading

Adobe Patches Zero-Day Flash Flaw

June 7, 2018
24 Comments

Adobe has released an emergency update to address a critical security hole in its Flash Player browser plugin that is being actively exploited to deploy malicious software. If you’ve got Flash installed — and if you’re using Google Chrome or a recent version of Microsoft Windows you do — it’s time once again to make sure your copy of Flash is either patched, hobbled or removed.

In an advisory published today, Adobe said it is aware of a report that an exploit for the previously unknown Flash flaw — CVE-2018-5002 — exists in the wild, and “is being used in limited, targeted attacks against Windows users. These attacks leverage Microsoft Office documents with embedded malicious Flash Player content distributed via email.”

The vulnerable versions of Flash include v. 29.0.0.171 and earlier. The version of Flash released today brings the program to v. 30.0.0.113 for Windows, Mac, Linux and Chrome OS. Check out this link to detect the presence of Flash in your browser and the version number installed.

Both Internet Explorer/Edge on Windows 10 and Chrome should automatically prompt users to update Flash when newer versions are available. At the moment, however, I can’t see any signs yet that either Microsoft or Google has pushed out new updates to address the Flash flaw. I’ll update this post if that changes. (Update: June 8, 11:01 a.m. ET: Looks like the browser makers are starting to push this out. You may still need to restart your browser for the update to take effect.)

Adobe credits Chinese security firm Qihoo 360 with reporting the zero-day Flash flaw. Qihoo said in a blog post that the exploit was seen being used to target individuals and companies in Doha, Qatar, and is believed to be related to a nation-state backed cyber-espionage campaign that uses booby-trapped Office documents to deploy malware.

In February 2018, Adobe patched another zero-day Flash flaw that was tied to cyber espionage attacks launched by North Korean hackers. Continue reading

Further Down the Trello Rabbit Hole

June 6, 2018
20 Comments

Last month’s story about organizations exposing passwords and other sensitive data via collaborative online spaces at Trello.com only scratched the surface of the problem. A deeper dive suggests a large number of government agencies, marketing firms, healthcare organizations and IT support companies are publishing credentials via public Trello boards that quickly get indexed by the major search engines.

By default, Trello boards for both enterprise and personal use are set to either private (requires a password to view the content) or team-visible only (approved members of the collaboration team can view).

But individual users may be able to manually share personal boards that include personal or proprietary employer data, information that gets cataloged by Internet search engines and available to anyone with a Web browser.

David Shear is an analyst at Flashpoint, a New York City based threat intelligence company. Shear spent several weeks last month exploring the depths of sensitive data exposed on Trello. Amid his digging, Shear documented hundreds of public Trello boards that were exposing passwords and other sensitive information. KrebsOnSecurity worked with Shear to document and report these boards to Trello.

Shear said he’s amazed at the number of companies selling IT support services that are using Trello not only to store their own passwords, but even credentials to manage customer assets online.

“There’s a bunch of different IT shops using it to troubleshoot client requests, and to do updates to infrastructure,” Shear said. “We also found a Web development team that’s done a lot of work for various dental offices. You could see who all their clients were and see credentials for clients to log into their own sites. These are IT companies doing this. And they tracked it all via [public] Trello pages.”

One particularly jarring misstep came from someone working for Seceon, a Westford, Mass. cybersecurity firm that touts the ability to detect and stop data breaches in real time. But until a few weeks ago the Trello page for Seceon featured multiple usernames and passwords, including credentials to log in to the company’s WordPress blog and iPage domain hosting.

Credentials shared on Trello by an employee of Seceon, a cybersecurity firm.

Shear also found that a senior software engineer working for Red Hat Linux in October 2017 posted administrative credentials to two different servers apparently used to test new builds.

Credentials posted by a senior software engineer at Red Hat.

The Maricopa County Department of Public Health (MCDPH) in Arizona used public Trello boards to document a host of internal resources that are typically found behind corporate intranets, such as this board that aggregated information for new hires (including information about how to navigate the MCDPH’s payroll system):

The (now defunct) Trello page for the Maricopa County Department of Public Health.

Even federal health regulators have made privacy missteps with Trello. Shear’s sleuthing uncovered a public Trello page maintained by HealthIT.gov — the official Web site of the National Coordinator for Health Information Technology, a component of the U.S. Department of Health and Human Services (HHS) — that was leaking credentials.

There appear to be a great many marketers and realtors who are using public Trello boards as their personal password notepads. One of my favorites is a Trello page maintained by a “virtual assistant” who specializes in helping realtors find new clients and sales leads. Apparently, this person re-used her Trello account password somewhere else (and/or perhaps re-used it from a list of passwords available on her Trello page), and as a result someone added a “You hacked” card to the assistant’s Trello board, urging her to change the password.

One realtor from Austin, Texas who posted numerous passwords to her public Trello board apparently had her Twitter profile hijacked and defaced with a photo featuring a giant Nazi flag and assorted Nazi memorabilia. It’s not clear how the hijacker obtained her password, but it appears to have been on Trello for some time.

Other entities that inadvertently shared passwords for private resources via public Trello boards included a Chinese aviation authority; the International AIDS Society; and the global technology consulting and research firm Analysis Mason, which also exposed its Twitter account credentials on Trello until very recently. Continue reading

Researcher Finds Credentials for 92 Million Users of DNA Testing Firm MyHeritage

June 5, 2018
36 Comments

MyHeritage, an Israeli-based genealogy and DNA testing company, disclosed today that a security researcher found on the Internet a file containing the email addresses and hashed passwords of more than 92 million of its users.

MyHeritage says it has no reason to believe other user data was compromised, and it is urging all users to change their passwords. It says sensitive customer DNA data is stored on IT systems that are separate from its user database, and that user passwords were “hashed” — or churned through a mathematical model designed to turn them into unique pieces of gibberish text that is (in theory, at least) difficult to reverse.

MyHeritage did not say in its blog post which method it used to obfuscate user passwords, but suggested that it had added some uniqueness to each password (beyond the hashing) to make them all much harder to crack.

“MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer,” wrote Omer Deutsch, MyHeritage’s chief information security officer. “This means that anyone gaining access to the hashed passwords does not have the actual passwords.”

The company said the security researcher who found the user database reported it on Monday, June 4. The file contained the email addresses and hashed passwords of 92,283,889 users who created accounts at MyHeritage up to and including Oct. 26, 2017, which MyHeritage says was “the date of the breach.”

MyHeritage added that it is expediting work on an upcoming two-factor authentication option that the company plans to make available to all MyHeritage users soon.

“This will allow users interested in taking advantage of it, to authenticate themselves using a mobile device in addition to a password, which will further harden their MyHeritage accounts against illegitimate access,” the blog post concludes.

MyHeritage has not yet responded to requests for comment and clarification on several points. I will update this post if that changes. Continue reading

Are Your Google Groups Leaking Data?

June 1, 2018
21 Comments

Google is reminding organizations to review how much of their Google Groups mailing lists should be public and indexed by Google.com. The notice was prompted in part by a review that KrebsOnSecurity undertook with several researchers who’ve been busy cataloging thousands of companies that are using public Google Groups lists to manage customer support and in some cases sensitive internal communications.

Google Groups is a service from Google that provides discussion groups for people sharing common interests. Because of the organic way Google Groups tend to grow as more people are added to projects — and perhaps given the ability to create public accounts on otherwise private groups — a number of organizations with household names are leaking sensitive data in their message lists.

Many Google Groups leak emails that should probably not be public but are nevertheless searchable on Google, including personal information such as passwords and financial data, and in many cases comprehensive lists of company employee names, addresses and emails.

By default, Google Groups are set to private. But Google acknowledges that there have been “a small number of instances where customers have accidentally shared sensitive information as a result of misconfigured Google Groups privacy settings.”

In early May, KrebsOnSecurity heard from two researchers at Kenna Security who started combing through Google Groups for sensitive data. They found thousands of organizations that seem to be inadvertently leaking internal or customer information.

The researchers say they discovered more than 9,600 organizations with public Google Groups settings, and estimate that about one-third of those organizations are currently leaking some form of sensitive email. Those affected include Fortune 500 companies, hospitals, universities and colleges, newspapers and television stations and U.S. government agencies.

In most cases, to find sensitive messages it’s enough to load the company’s public Google Groups page and start typing in key search terms, such as “password,” “account,” “hr,” “accounting,” “username” and “http:”.

Many organizations seem to have used Google Groups to index customer support emails, which can contain all kinds of personal information — particularly in cases where one employee is emailing another.

Here are just a few of their more eyebrow-raising finds:

• Re: Document(s) for Review for Customer [REDACTED]. Group: Accounts Payable
• Re: URGENT: Past Due Invoice. Group: Accounts Payable
• Fw: Password Recovery. Group: Support
• GitHub credentials. Group: [REDACTED]
• Sandbox: Finish resetting your Salesforce password. Group: [REDACTED]
• RE: [REDACTED] Suspension Documents. Group: Risk and Fraud Management

Apart from exposing personal and financial data, misconfigured Google Groups accounts sometimes publicly index a tremendous amount of information about the organization itself, including links to employee manuals, staffing schedules, reports about outages and application bugs, as well as other internal resources.

This information could be a potential gold mine for hackers seeking to conduct so-called “spearphishing” attacks that single out specific employees at a targeted organization. Such information also would be useful for criminals who specialize in “business email compromise” (BEC) or “CEO fraud” schemes, in which thieves spoof emails from top executives to folks in finance asking for large sums of money to be wired to a third-party account in another country.

“The possible implications include spearphishing, account takeover, and a wide variety of case-specific fraud and abuse,” the Kenna Security team wrote.

Continue reading