![[?]](https://cablespaghetti.dev/fedi/sam/s/avatar-70d122430e7f5ba4f8d1519b1f800a17.jpeg){kind=avatar}
I've had admin powers at 5+ companies' Google Workspace/G Suite over the past decade or so. Every single one had groups which were misconfigured, often so anyone in the whole company could join without approval or see the message history at https://groups.google.com without being a member at all.
This is because for any sensible configuration of Google Groups when using it for email groups you have to use the "Custom" permissions mode. The default Public mode doesn't allow external people to email the group, but does allow the whole company to see all the messages. The default Team mode, has the same problem of everyone being able to see all the messages.
Also let's not forget that dangerous little "Anyone in the organisation can join" toggle at the bottom which is on by default. So any random new starter can join your confidential company directors group and get all the emails sent to it.
Giving Google the benefit of the doubt here, I think the reasoning might be that Google Groups is intended as a kind of company forum, not for private email groups. However that isn't how anyone uses it in my experience...
#security #infosec #google #googleworkspace
Alt...
Screenshot of the default Google Group settings for team mode
Alt...
Screenshot of the default Google Group settings for public mode
...
![[?]](https://media.infosec.exchange/infosec.exchange/accounts/avatars/109/285/577/818/936/602/original/3869eaa0cb7cb207.jpeg)
@sam agree this is absolutely crazy, it's been like it forever, i wrote about it a couple of years ago as part of a guide on securing Google Workspace:
...
![[?]](https://media.cosocial.ca/accounts/avatars/111/791/598/173/651/658/original/7282aeee0ead82e2.png)
@sam it's simply because they sometimes neglect to annihilate the technology they merge with to give them an advantage. Google acquired Usenet archives in 2001, merged them with Groups, made Groups a "Usenet client" then pushed for Usenet obsolescence by having the new posts not use Usenet but using the same UI. Usenet was meant to be public, Groups was not. But you can't claim that if you use privacy by default.