GGvulnz — How to check your domain and groups settings

Stéphane Giron
Jan 21 · 3 min read

On my twitter timeline the article GGvulnz — How I hacked hundreds of companies through Google Groups pop up and get some tractions.

This article describe how an external person of the domain can subscribe to your Slack company channel by using a Google Groups that is publicly accessible. I let you check the original article, it is interesting. So now the question is how to prevent and how to identify if some groups are concerned.

Global Google Groups External access setting

In Google Groups settings there is a top level parameter that can forbid access to the GGroups interface for external users of the domain :

Restrict access to Google Groups interface for external users

If your settings is already Private, no issue for you.

As an immediate action you can turn this setting to Private, by this way external users will no longer be able to access the web interface of a Group of your domain. Direct link to Admin Console => click here

Check your GGroups to identify potential groups in issue

Now it is interesting to audit your Groups to identify the groups with the setting “Anyone can view content” and “Anyone can post” enabled.

Checking all groups is cumbersome, hopefully Google Apps Script is in the rescue :-)

We will browse all Google Groups of the domain, using AdminDirectory.Groups.list(), and for each, retrieve the Groups Sharing Settings, AdminGroupsSettings.Groups.get(), to identify if some of you groups have to be corrected.

Appsscript.json :

{
"timeZone": "Europe/Paris",
"dependencies": {
"enabledAdvancedServices": [{
"userSymbol": "AdminDirectory",
"serviceId": "admin",
"version": "directory_v1"
},{
"userSymbol": "AdminGroupsSettings",
"serviceId": "groupssettings",
"version": "v1"
}]
},
"exceptionLogging": "STACKDRIVER",
"oauthScopes": [ "https://www.googleapis.com/auth/script.scriptapp",
"https://www.googleapis.com/auth/apps.groups.settings","https://www.googleapis.com/auth/admin.directory.group.readonly","https://www.googleapis.com/auth/spreadsheets"]
}

Code.js :

function checkGroupsSettings() {
Logger.log('start')
var page;
var pageToken; var rep = [];
rep.push(['Email','Name','Description','Who can post','Who can view','GGvulnz'])
do {
page = AdminDirectory.Groups.list({pageToken:pageToken,customer:'my_customer',orderBy:'email',sortOrder:'ASCENDING'})
if (page.groups && page.groups.length > 0) {
for (var i = 0; i < page.groups.length; i++) {
var group = page.groups[i];
var settings = getSettingsGroup(group.email);
rep.push([group.email,group.name,group.description,settings.whoCanPostMessage,settings.whoCanViewGroup,isGGvulnz(settings)])
}
} else {
Logger.log('No groups found.');
}
pageToken = page.nextPageToken;
} while (pageToken);
var ss = SpreadsheetApp.create('Check Groups Security GGvulnz')
var sheet = ss.getSheets()[0];
sheet.getRange(1,1,rep.length,rep[0].length).setValues(rep);
sheet.getRange(1,1,sheet.getLastRow(),sheet.getLastColumn()).createFilter();
var conditionalFormatRules = sheet.getConditionalFormatRules();
conditionalFormatRules.push(SpreadsheetApp.newConditionalFormatRule().setRanges([sheet.getRange(2,1,sheet.getLastRow(),sheet.getLastColumn())])
.whenFormulaSatisfied('=$F2')
.setBackground('#F4C7C3')
.build());
sheet.setConditionalFormatRules(conditionalFormatRules);
Logger.log(ss.getUrl())
}
function isGGvulnz(settings){
if(settings.whoCanPostMessage == 'ANYONE_CAN_POST' && settings.whoCanViewGroup == 'ANYONE_CAN_VIEW'){
return true;
}
return false
}
function getSettingsGroup(email){
return AdminGroupsSettings.Groups.get(email)
}

In the code.js file we also add filters, createFilter(), to easier filter data and we set a conditional formatting to highlight lines in issue.

The script will create a spreadsheet, you can view the link in the log (CTRL+Enter) or check the file in your Drive root folder.

Result of GGvulnz Script Checker

You can make a copy of the script : Get script file >>

It is also available in GiHub : link.

Some remarks

This article well highlight how you have to be careful about settings when you make some content available publicly, like Groups or Drive file.

There is no account hacked in this article it is more reverse engineering.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade