gubble: audit Google Workspace group settings
gubble
gubble is a tool designed to audit Google Workspace group settings. It analyzes settings such as who can join, view membership, post messages, view conversations, and more to help identify potential security risks associated with group configurations.
Google Groups is a service that allows users to create and manage online discussion groups and email lists. It provides a platform for community discussions, with features like email lists, web forums, Q&A forums, and collaborative inboxes. However, with great power comes great responsibility. A group with misconfigured permissions can lead to excessive data exposure and privilege escalation if the risks are not understood.
During penetration tests, testers often aim to identify groups that can be joined, groups that allow for many users to read privileged conversations, or groups configured in such a way that would make internal phishing easier. Gubble is a tool that aims to automate that process.
| METHOD NAME | Risky Permission | Notes |
|---|---|---|
| whoCanJoin | ANYONE_CAN_JOIN ALL_IN_DOMAIN_CAN_JOIN | Anyone in the domain can join the group. This could be used for privilege escalation. |
| whoCanViewMembership | ALL_IN_DOMAIN_CAN_VIEW | Only bad if you have “secret” projects |
| whoCanViewGroup | ANYONE_CAN_VIEW ALL_IN_DOMAIN_CAN_VIEW | This means who can read conversations |
| allowExternalMembers | TRUE | External Identities can be added to the group. |
| whoCanPostMessage | ALL_IN_DOMAIN_CAN_POST ANYONE_CAN_POST | This can be utilized for phishing. |
| membersCanPostAsTheGroup | TRUE | This can be abused for phishing. |
| whoCanLeaveGroup | NONE_CAN_LEAVE | This can be used as a honeypot. Make a juicy group name and alert on users joining it since they can’t leave |
| whoCanContactOwner | ANYONE_CAN_CONTACT | |
| whoCanDiscoverGroup | ANYONE_CAN_DISCOVER | |
| defaultSender | GROUP |
