Google Groups Security ByPass and Controls to Fix It

Google Groups Security Bug to Email Managers and Owners

This was reported to the Google Bug Bounty Team. They have reviewed and accepted the issue. This means that anyone running Google Workspace needs to mititgate and control this issue. There is no gaurantee it will be patched.

Details

The group needs to be able to accept public postings from non-domain accounts for this to be a big risk. Doing this with internal groups is possible, but you would be able to manage it on a few levels.

If an actor uses email addresses for groups in this format: groupname+mangers@domain OR groupname+owners@domain in the TO or CC field the sender can bypass group settings that prohibit members, or the public, from messaging managers or owners directly.

Attack scenario

Anyone can exploit this, even if they are not a member of the group. I was able to send messages simply by having the address and using the +manager and +owners extensions.

Controls

Step 1: In Google Workspace Admin, go to Compliance

Step 2:

Add a rule to Content Compliance

Step 3: Use this regular expression carefully: parents.*\+(managers|owners)

For my groups, “parents” is a string in the group I am trying to filter/control. You may have something different. For example, you may have student groups between your students and another school. The group might be called, ‘volunteers@mydomain.org’. Your expression would become: volunteers.*\+(managers|owners)

Step 4: Watch the animation and add the regular express (regex) in the correct location

Copyright © Domain Seven LLC. All rights reserved.
For permissions to use or share any content behind our paywall, please email us at: tonydeprato@domain7.tech .