Users of the Google Calendar service often make their notes available to third parties, without thinking that this way they disclose private information, as anyone can get access to their confidential data, including scheduled meetings, events and events.
According to security researcher at Grofers Avinash Jain, he managed to access 8,000 calendars using just Google search engine. The researcher could not only view planned events, but also make new entries, including those containing fake information and malicious links.“I could access public calendars of various organizations that disclose confidential information, such as email identifiers, event names, event details, venues, meeting links, Zoom meeting links, Google Hangouts links, links to internal presentations and so on”, — Jain said.
The ability to make the calendar open in order to provide access to other users is provided, very convenient function, and the fact that the researcher was able to access other people’s confidential information is not Google’s fault.
Rather, there is a flaw on the part of the company, which did not take care to warn users about possible risks, the researcher said. The vulnerability is due to the public visibility set on the google calendar by the users that later left setting unchanged.
Read also: InnfiRAT malware steals Litecoin and Bitcoin wallets’ data
With Google not sending any notification to the users warning them about their calendar visibility, or to the organization if any of their employees making the calendar public and disclosing their calendar, with all the previous and future update/events/information set to public accessibility.
Using special search queries (Google Dork), in a matter of seconds you can create a list of all open calendars and gain access to confidential information, including companies from the top 500 Alexa.
“And what if someone belonging to an organization makes their official google calendar public — They might end up disclosing internal information of the company! Then that becomes a problem”, — says Avinash Jain.
How to fix?
The fix for this: https://support.google.com/a/answer/60765?hl=en. You can set the calendars to only say Free/Busy if anyone wants to make their calendar public. GSuite admin can also create alerts for when Google docs, presentations, and calendars go public.