Pierluigi Paganini September 17, 2019

The news is shocking, thousands of Google Calendars are leaking private information posing a severe threat to the privacy of the users.

Thousands of Google Calendars are leaking private information online threatening the privacy of the users.

Google Calendar has more than q billion users that can potentially expose their private affairs due to the implementation of an issue in the “invite” feature. It is essential to point out that this isn’t a security vulnerability in Google Calendar, but an issue that could potentially impact anyone that has ever shared his Google Calendars.

you should immediately go back to your Google settings and check if you’re exposing all your events and business activities on the Internet accessible to anyone.

The security researcher Avinash Jain discovered more than 8000 Google Calendars exposed online that were indexed by Google search engine. This means that anyone could potentially access sensitive deta and add new events that could be used to share bogus information or malicious links.

Avinash Jain contacted several media outlets, including Forbes and THN, the Indian expert works for the e-commerce firm Grofers.

“What I found is that — Using a single Google dork (advance search query), I am able to list down all the public google calendar or users who all have set their calendar as public. I found dozens of calendars which are indexed by google’s search engines, revealing or disclosing several sensitive information.” wrote the expert. “I was able to access public calendars of various organizations leaking out sensitive details like their email ids, their event name, event details, location, meeting links, zoom meeting links, google hangout links, internal presentation links and much more,”

Some of the calendars belonged to employees of the top 500 Alexa company that intentionally/unintentionally were made public.

The issue is related to the public visibility set on the google calendar by the users. Google fails to send any notification to the users warning them about the visibility of their calendar.

“While this is more of an intended setting by the users and intended behavior of the service but the main issue here is that anyone can view anyone public calendar, add anything on it—just by a single search query without being shared the calendar link,” Avinash added.

The issue is not new, many experts in the last years warned of the misuse of the “make it public” feature to its web-based calendar service that was implemented 12 years ago.

The expert demonstrated that it is possible to view the exposed Google Calendars by using advanced Google search query (Google Dork).

“The fix for this: https://support.google.com/a/answer/60765?hl=en. You can set the calendars to only say Free/Busy if anyone wants to make their calendar public. GSuite admin can also create alerts for when Google docs, presentations, and calendars go public.” concludes the researcher.

Pierluigi Paganini

(SecurityAffairs – Google Calendars, privacy)

[adrotate banner=”5″]

[adrotate banner=”13″]