A grave safety loophole has been found in Google’s time management service “Google Calendar”. Its public sharing feature makes sensitive organizational information, like email ID, event name, location, duration, available to anyone and everyone on the internet.
The recently identified loophole in Google Calendar allows anyone other than company insiders can easily get their hands on internal information like email ID, meeting venues or dial in passcodes for restricted access areas. To make the matter worst, scammers could also add links, create new events, meetings to Google Calendar by bypassing all the authentication. At the same time, scammers are exploiting this public availability along with the close integration between all Google services to assault users with a credential-stealing attack.
Security researcher Avinash Jain recently made a blog post bringing this issue to light. He found that by using the Google Dork advanced search, he could access all public Google Calendars and users. Over 8,000 such calendars containing sensitive private information about organizations were exposed to be unsafely perused and misused by scammers on the internet.
Google Calendar’s objective
Google Calendar is a service especially built keeping teams and groups in mind. As of February 2018, it had been installed up to 500 million times. The service allows teams and individuals to share a common digital calendar that can be accessed, edited, and further shared to others by team members, or an external agent, depending on the kinds of settings one has enabled. However, this public visibility is not due to a slip up failing to ensure user data safety but is instead an intentional feature for easy connectivity among organizations and employees.
So to speak, the service has settings that can maintain the confidentiality of information even on a publicly shared document by displaying days and slots as “free” or “busy” to users outside the organization. Then, it seems that this blind spot has been created due to the company’s inability to sufficiently educate and notify its customers about the publicity of their information.
Past Data Breaches of Google
Such data breach from a company like Google, which is deep into the business of handling users’ data, is quite disappointing. Even though the recent privacy breach with Google Calendar cannot quite be classified as a data breach, Google has had a history of unsafe handling of user information in the past.
In 2014, personal information of 5 million Google customers surfaced on Russian cybercrime websites because of a bug in the algorithm. This information included name, age, occupation, and similar demographic details along with e-mail addresses and passwords.
Google is also notorious for tracking the internet usage of its customers and selling it to third-party companies, which is a severe breach of privacy.
The exploitation of Google’s Services by Scammers
Earlier this year, an article on Kaspersky Daily highlighted some of the common ways in which scammers misused the easy connectivity and transfer of data among Google’s various services such as Google Photos, Gmail, Google Translate, etc.
It seems that using Google Calendar is among the easiest ways to do so. As mentioned above, Google Calendar allows anyone to edit and add events into a public calendar. Scammers have taken to this platform to trick people by setting up meetings with users on the calendar and using the location and topic fields to inform the user that they’re eligible for a cash payment. This then redirects them to a link that allegedly allows them to receive their cash payment. But in reality, it is a trap to extract the user’s bank information.
A similar scam is seen making the rounds on Google Photos, albeit the offer is made through a picture.
Google Forms warns users to never submit passwords, bank information, and other private data in their forms for the same reason.
Thus, Google and all other services on the web must be used carefully. At the same time, companies should be held accountable and required to be transparent about how they use their consumer’s data. Until Google found a fix to this leak, people concern to their private data must stay attentive with Google Calendar, rather stop using it!