Thousands of Google Calendars Disclose Confidential Information

by Brendan Smith
September 18, 2019
Google calendar disclose information
Written by Brendan Smith

Users of the Google Calendar service often make their notes available to third parties, without thinking that this way they disclose private information, as anyone can get access to their confidential data, including scheduled meetings, events and events.

According to security researcher at Grofers Avinash Jain, he managed to access 8,000 calendars using just Google search engine. The researcher could not only view planned events, but also make new entries, including those containing fake information and malicious links.

“I could access public calendars of various organizations that disclose confidential information, such as email identifiers, event names, event details, venues, meeting links, Zoom meeting links, Google Hangouts links, links to internal presentations and so on”, — Jain said.

The ability to make the calendar open in order to provide access to other users is provided, very convenient function, and the fact that the researcher was able to access other people’s confidential information is not Google’s fault.

Rather, there is a flaw on the part of the company, which did not take care to warn users about possible risks, the researcher said. The vulnerability is due to the public visibility set on the google calendar by the users that later left setting unchanged.

Read also: InnfiRAT malware steals Litecoin and Bitcoin wallets’ data

With Google not sending any notification to the users warning them about their calendar visibility, or to the organization if any of their employees making the calendar public and disclosing their calendar, with all the previous and future update/events/information set to public accessibility.

Using special search queries (Google Dork), in a matter of seconds you can create a list of all open calendars and gain access to confidential information, including companies from the top 500 Alexa.

“And what if someone belonging to an organization makes their official google calendar public — They might end up disclosing internal information of the company! Then that becomes a problem”, — says Avinash Jain.

How to fix?

The fix for this: https://support.google.com/a/answer/60765?hl=en. You can set the calendars to only say Free/Busy if anyone wants to make their calendar public. GSuite admin can also create alerts for when Google docs, presentations, and calendars go public.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

I'm Brendan Smith, a passionate journalist, researcher, and web content developer. With a keen interest in computer technology and security, I specialize in delivering high-quality content that educates and empowers readers in navigating the digital landscape.

With a focus on computer technology and security, I am committed to sharing my knowledge and insights to help individuals and organizations protect themselves in the digital age. My expertise in cybersecurity principles, data privacy, and best practices allows me to provide practical tips and advice that readers can implement to enhance their online security.

View all posts

Leave a Reply

Sending