This is a bug I reported to Google via Google's Vulnerability Rewards Program on Oct 9, 2016.
As part of this program, the panel decided to issue me a reward of $500.
Below is an intact reproduction of the report sent to Google (except for the "attack scenario", which has censored parts written in italics, in order to hide confidential information):
Summary: Some users continue to receive email updates of some threads of a Google group after being removed from a group
This vulnerability is not an XSS, SQL Injection,... vulnerability, but rather a bad design of the Google Groups software which allows users to access information they are not supposed to access. It involves actions from two users, so I'm going to call one user X (the one who administers a Google Group) and the other user Y (the one who is part of a Google Group and is later on removed from the group).
Steps to reproduce:
- With user X, create a Google Group with the following options (this is to prevent members outside the group to view threads/topics and from posting):
- Group type: web forum
- View topics: Managers of the group, All members of the group
- Post: Managers of the group, All members of the group
- Join the group: Anyone can ask
- Invite user Y to join the recently created group.
- User Y accepts the invitation sent by email.
- In the group homepage, user Y clicks the "person-gear button" in the upper-right corner of the page (it's labeled as my settings) and clicks "Membership and email settings".
- In the dialog which opens, the following options are set:
- Email delivery preference: Don't send email updates
- Automatically subscribe me to email updates when I post on a topic: checked
- User Y saves the previous settings.
- User X creates a thread in the group.
- User Y replies to the thread, leaving checked the checkbox "Email updates to me".
- User X removes user Y from the group.
- User X writes a message to the thread where user Y participated.
- User Y receives an email with the last message of user X, although user Y is no longer part of the group, because user Y is still subscribed to this thread in the group.
What should be done?
I think when a user is removed from a group, all the subscriptions active on topics from that group should be removed.
This behaviour is not specified in any part of the Google Groups HC (help center, https://support.google.com/groups/), but I suppose this should be the behaviour of Google Groups because otherwise the group owner cannot control if a user who is removed from a group will be able to continue to receive updates from some threads where confidential information could be shared.
Browser/OS: Chrome 54.0.2840.50 beta, OS X 10.11.6
Attack scenario:
Any user who is part of a Google Group and later on is removed can "exploit" this vulnerability.
This scenario is a scenario which has occurred to me and it consists in the following:
Someone invited me to CENSORED, a Google Group where confidential information is discussed. I enabled the option to receive updates in the threads where I posted. Afterwards I posted in multiple threads. Afterwards, I was removed from CENSORED. From that point onwards, I continued receiving updates from threads I previously posted, and there was confidential information which I wasn't supposed to be receiving. That was because I continued to be subscribed to those threads.