The researcher was able to not only view records, but also make new ones, including those containing malicious links.
Users of the Google Calendar service often make their notes available to third parties, without thinking that in this way anyone can get access to their confidential information, including scheduled meetings, events and events.
According to security researcher at Grofers Avinash Jain, he managed to access 8,000 other people’s calendars using just Google search engine. The researcher could not only view planned events, but also make new entries, including those containing fake information and malicious links.
“I could access public calendars of various organizations that disclose confidential information, such as email identifiers, event names, event details, venues, meeting links, Zoom meeting links, Google Hangouts links, links to internal presentations and so on, ”Jain said.
The ability to make the calendar open in order to provide access to other users is a provided, very convenient function, and the fact that the researcher was able to access other people’s confidential information is not Google’s fault. Rather, there is a flaw on the part of the company, which did not take care to warn users about possible risks, the researcher said. In addition, there is no indicator in the calendar interface indicating the availability of data to everyone.
Using special search queries (Google Dork), in a matter of seconds you can create a list of all open calendars and gain access to confidential information, including companies from the top 500 Alexa.
Recall, not so long ago, Kaspersky Lab warned users of Google Calendar about the increasing attacks of spammers. Since the service allows anyone to make an appointment with a user, about which he receives a corresponding notification, scammers massively rushed to make an appointment. They add the text of the spam message to the “Event Subject” and “Where” fields. Typically, these are fake winnings or cash rewards notifications containing a malicious link.