Thousands of Google Calendars Disclose Confidential Information

by Brendan Smith
September 18, 2019

Users of the Google Calendar service often make their notes available to third parties, without thinking that this way they disclose private information, as anyone can get access to their confidential data, including scheduled meetings, events and events.

According to security researcher at Grofers Avinash Jain, he managed to access 8,000 calendars using just Google search engine. The researcher could not only view planned events, but also make new entries, including those containing fake information and malicious links.

“I could access public calendars of various organizations that disclose confidential information, such as email identifiers, event names, event details, venues, meeting links, Zoom meeting links, Google Hangouts links, links to internal presentations and so on”, — Jain said.

The ability to make the calendar open in order to provide access to other users is provided, very convenient function, and the fact that the researcher was able to access other people’s confidential information is not Google’s fault.

Rather, there is a flaw on the part of the company, which did not take care to warn users about possible risks, the researcher said. The vulnerability is due to the public visibility set on the google calendar by the users that later left setting unchanged.

Read also: InnfiRAT malware steals Litecoin and Bitcoin wallets’ data

With Google not sending any notification to the users warning them about their calendar visibility, or to the organization if any of their employees making the calendar public and disclosing their calendar, with all the previous and future update/events/information set to public accessibility.

Using special search queries (Google Dork), in a matter of seconds you can create a list of all open calendars and gain access to confidential information, including companies from the top 500 Alexa.

“And what if someone belonging to an organization makes their official google calendar public — They might end up disclosing internal information of the company! Then that becomes a problem”, — says Avinash Jain.

How to fix?

The fix for this: https://support.google.com/a/answer/60765?hl=en. You can set the calendars to only say Free/Busy if anyone wants to make their calendar public. GSuite admin can also create alerts for when Google docs, presentations, and calendars go public.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

Cybersecurity analyst with 15+ years digging into malware and threats, from early days reverse-engineering trojans to leading incident responses for mid-sized firms.

At Gridinsoft, I handle peer-reviewed breakdowns of stuff like AsyncRAT ransomware—last year, my guides helped flag 200+ variants in real scans, cutting cleanup time by 40% for users. Outside, I write hands-on tutorials on howtofix.guide, like step-by-step takedowns of pop-up adware using Wireshark and custom scripts (one post on VT alternatives got 5k reads in a month).

Certified CISSP and CEH, I’ve run webinars for 300+ pros on AI-boosted stealers—always pushing for simple fixes that stick, because nobody has time for 50-page manuals. Tools of the trade: Splunk for hunting, Ansible for automation, and a healthy dose of coffee to outlast the night shifts.

View all posts

Leave a Reply

Sending