Google Calendar Users Are One Click Away From Privacy Disaster

Sign for Google offices in San Francisco

A security researcher warns how close Google Calendar users are to a privacy disaster

Getty


On September 9, I reported that Google was finally, more than two years after first being notified of the problem, working on fixing the malicious invites issue for users of Google Calendar. I thought that would be the last time I would need to bring a Google Calendar issue to the attention of a wider audience for a while; I was wrong. This time it's another feature that can also be problematical, leaving some users just one click away from exposing calendar data to the world. While this isn't a security vulnerability, and for once I'm happy to agree with Google on that, it is a privacy disaster waiting to happen and one that could well have security implications down the line.

What's the one-click privacy problem with Google Calendar?

I was contacted by Avinash Jain, a security researcher from India working at an e-commerce company called Grofers, and someone who has a track record of finding vulnerabilities, bugs and privacy issues with companies such as Jira, NASA, Yahoo as well as Google. It was the latter he wanted to talk about on this occasion. Inspired by my earlier report regarding how Google had announced it was working on a fix for the malicious invites issue for Calendar users, Jain started looking into the broader problem of misconfigured settings.

It should be made clear at this point that the settings in question are there as part of the intended functionality of Google Calendar, and Jain isn't talking about a software code bug or vulnerability. Instead, this is a misconfiguration issue.

OK, on with the story. Jain focused his attention on those options that enable a user to share calendar events with specific users; more precisely, the option to make the calendar public. "While this is an intended setting by the user and intended behavior of the service," Jain says, "the main issue here is that anyone can view any public calendar by making a single Google search query, and without the calendar link being shared with them."

How does Google Calendar sharing work?

It's probably best to consider why share a calendar before addressing how. The most common use case is likely to be the sharing of event reminders, organizing meetups and the like. The important thing is that these calendar events then update in real-time and keep everyone in the loop. Once a calendar is made public, according to the Google online support pages, other people can see the calendar on a website, sync with other applications and both subscribe to it and see it in their Google Calendar.

There are multiple options for sharing a calendar, including various calendars that include some private and some shared ones. For the shared ones, which you can only edit on a computer and not in the mobile app, there is an option to "make available to public" from the access permissions. There is an option to select "see only free/busy" which hides the details of the event, but for most people, most of the time, this would lose the sharing functionality they are here for.

To stop sharing the calendar publicly, the user unchecks the make it public box. Importantly though, the Google support pages state this "can take up to four hours" for the change to be applied.

Equally importantly, when you have set a calendar to public that then becomes the default for all new events that are added to it unless you explicitly change the privacy settings for that event.

So, what's the privacy problem with Google Calendar again?

When changing a calendar to public, Google does display a warning dialog that states: "Making your calendar public will make all events visible to the world, including by way of Google search. Are you sure?" Which suggests that there's no privacy problem, or at least not one that the user is unaware of, right?

Wrong, according to Jain. "Users might have intended to make their calendar public for particular company people, and just shared the URL with them, but instead it is indexed and findable using Google search," Jain says. "Because anyone can find the calendar without even knowing the link," Jain says, "and if the calendar has settings that allow users to add events and links it, one employee mistake can lead to company information being leaked."

Jain points to the example of a case involving Shopify which was reported via the HackerOne bug bounty platform. Because some Shopify employees had their Google Calendars set to public, a researcher was able to access confidential and sensitive company information. By using a tool to find all "@shopify.com" emails, and then running this list through a Google Calendar feature that enables the adding of other people's calendars, the researcher found the public employee ones. Amongst the information that was accessible as a result was onsite interview data that revealed new hire information, internal company presentations, and Zoom meeting links that, once again, put internal information at risk. None of which, was the intent of the employee who, most likely, was trying to be more productive and do a better job.

What does the Calendar user need to know to mitigate this risk?

In that Shopify case, the solution was to apply a universal, organization-wide, setting using GSuite so that all public calendars could only display a free or busy status and no other information. This should have been the default, but it’s also where the misconfiguration issue kicks in and demonstrates how important it is to understand the implications of the chnages you make.

When it comes to the Zoom meetings issue that the Shopify case also highlighted, this can be mitigated by restricting those zoom meetings to users signed in with a specific domain to prevent attackers accessing internal company meetings.

"Google shouldn't index the Google Calendars links in search listings," Jain says, "until and unless advised by the user in some way." This would mean a change so that the user has more ongoing visibility and awareness of the risks of using public calendars. I agree with Jain that more clarity is required here to ensure that users are genuinely aware of the privacy implications of public status, beyond the warning dialog when initially configuring that change.

What does the cybersecurity expert say?

While admitting that this probably isn't something that most people would flag as being severe, Jake Moore, cybersecurity specialist at ESET, says that "if companies choose to use Google for their business calendar events, those firms must consider providing adequate training to make sure their employees understand the risks around keeping their company data secure."

Moore goes on to say that it can be argued if a company uses an application that allows it to be shared publicly, then it must also understand the possible risks and take precautions where necessary. "Utilizing the functions of a GSuite admin role such as setting up an alert when a user makes a calendar public is a perfect way to monitor this threat," Moore says.

What does Google say?

A Google spokesperson provided the following statement: "Calendar sharing is private by default for both G Suite and consumer Calendar users. G Suite admins can control the level of detail with which enterprise users can share their calendar externally. A G Suite user cannot exceed the level of event details allowed by their admin for external sharing. Calendar sharing is also private by default for all consumer accounts. A consumer user can only share by changing this setting, in which they are notified of how their calendar will become visible to the public."

--

Updated September 17: This article was updated with a Google statement which clarifies the default privacy setting for all Calendar users.


More on Forbes

Google To Fix Malicious Invites Issue For 1 Billion Calendar Users

Personal Data Of Entire 16.6 Million Population Of Ecuador Leaked Online

Google Warns LastPass Users Were Exposed To ‘Last Password’ Credential Leak

Bought A Car Recently? 198 Million Car Buyer Records Exposed In Massive Data Leak

Unsecured Facebook Databases Leak Data Of 419 Million Users

">


On September 9, I reported that Google was finally, more than two years after first being notified of the problem, working on fixing the malicious invites issue for users of Google Calendar. I thought that would be the last time I would need to bring a Google Calendar issue to the attention of a wider audience for a while; I was wrong. This time it's another feature that can also be problematical, leaving some users just one click away from exposing calendar data to the world. While this isn't a security vulnerability, and for once I'm happy to agree with Google on that, it is a privacy disaster waiting to happen and one that could well have security implications down the line.

What's the one-click privacy problem with Google Calendar?

I was contacted by Avinash Jain, a security researcher from India working at an e-commerce company called Grofers, and someone who has a track record of finding vulnerabilities, bugs and privacy issues with companies such as Jira, NASA, Yahoo as well as Google. It was the latter he wanted to talk about on this occasion. Inspired by my earlier report regarding how Google had announced it was working on a fix for the malicious invites issue for Calendar users, Jain started looking into the broader problem of misconfigured settings.

It should be made clear at this point that the settings in question are there as part of the intended functionality of Google Calendar, and Jain isn't talking about a software code bug or vulnerability. Instead, this is a misconfiguration issue.

OK, on with the story. Jain focused his attention on those options that enable a user to share calendar events with specific users; more precisely, the option to make the calendar public. "While this is an intended setting by the user and intended behavior of the service," Jain says, "the main issue here is that anyone can view any public calendar by making a single Google search query, and without the calendar link being shared with them."

How does Google Calendar sharing work?

It's probably best to consider why share a calendar before addressing how. The most common use case is likely to be the sharing of event reminders, organizing meetups and the like. The important thing is that these calendar events then update in real-time and keep everyone in the loop. Once a calendar is made public, according to the Google online support pages, other people can see the calendar on a website, sync with other applications and both subscribe to it and see it in their Google Calendar.

There are multiple options for sharing a calendar, including various calendars that include some private and some shared ones. For the shared ones, which you can only edit on a computer and not in the mobile app, there is an option to "make available to public" from the access permissions. There is an option to select "see only free/busy" which hides the details of the event, but for most people, most of the time, this would lose the sharing functionality they are here for.

To stop sharing the calendar publicly, the user unchecks the make it public box. Importantly though, the Google support pages state this "can take up to four hours" for the change to be applied.

Equally importantly, when you have set a calendar to public that then becomes the default for all new events that are added to it unless you explicitly change the privacy settings for that event.

So, what's the privacy problem with Google Calendar again?

When changing a calendar to public, Google does display a warning dialog that states: "Making your calendar public will make all events visible to the world, including by way of Google search. Are you sure?" Which suggests that there's no privacy problem, or at least not one that the user is unaware of, right?

Wrong, according to Jain. "Users might have intended to make their calendar public for particular company people, and just shared the URL with them, but instead it is indexed and findable using Google search," Jain says. "Because anyone can find the calendar without even knowing the link," Jain says, "and if the calendar has settings that allow users to add events and links it, one employee mistake can lead to company information being leaked."

Jain points to the example of a case involving Shopify which was reported via the HackerOne bug bounty platform. Because some Shopify employees had their Google Calendars set to public, a researcher was able to access confidential and sensitive company information. By using a tool to find all "@shopify.com" emails, and then running this list through a Google Calendar feature that enables the adding of other people's calendars, the researcher found the public employee ones. Amongst the information that was accessible as a result was onsite interview data that revealed new hire information, internal company presentations, and Zoom meeting links that, once again, put internal information at risk. None of which, was the intent of the employee who, most likely, was trying to be more productive and do a better job.

What does the Calendar user need to know to mitigate this risk?

In that Shopify case, the solution was to apply a universal, organization-wide, setting using GSuite so that all public calendars could only display a free or busy status and no other information. This should have been the default, but it’s also where the misconfiguration issue kicks in and demonstrates how important it is to understand the implications of the chnages you make.

When it comes to the Zoom meetings issue that the Shopify case also highlighted, this can be mitigated by restricting those zoom meetings to users signed in with a specific domain to prevent attackers accessing internal company meetings.

"Google shouldn't index the Google Calendars links in search listings," Jain says, "until and unless advised by the user in some way." This would mean a change so that the user has more ongoing visibility and awareness of the risks of using public calendars. I agree with Jain that more clarity is required here to ensure that users are genuinely aware of the privacy implications of public status, beyond the warning dialog when initially configuring that change.

What does the cybersecurity expert say?

While admitting that this probably isn't something that most people would flag as being severe, Jake Moore, cybersecurity specialist at ESET, says that "if companies choose to use Google for their business calendar events, those firms must consider providing adequate training to make sure their employees understand the risks around keeping their company data secure."

Moore goes on to say that it can be argued if a company uses an application that allows it to be shared publicly, then it must also understand the possible risks and take precautions where necessary. "Utilizing the functions of a GSuite admin role such as setting up an alert when a user makes a calendar public is a perfect way to monitor this threat," Moore says.

What does Google say?

A Google spokesperson provided the following statement: "Calendar sharing is private by default for both G Suite and consumer Calendar users. G Suite admins can control the level of detail with which enterprise users can share their calendar externally. A G Suite user cannot exceed the level of event details allowed by their admin for external sharing. Calendar sharing is also private by default for all consumer accounts. A consumer user can only share by changing this setting, in which they are notified of how their calendar will become visible to the public."

--

Updated September 17: This article was updated with a Google statement which clarifies the default privacy setting for all Calendar users.


More on Forbes

Google To Fix Malicious Invites Issue For 1 Billion Calendar Users

Personal Data Of Entire 16.6 Million Population Of Ecuador Leaked Online

Google Warns LastPass Users Were Exposed To ‘Last Password’ Credential Leak

Bought A Car Recently? 198 Million Car Buyer Records Exposed In Massive Data Leak

Unsecured Facebook Databases Leak Data Of 419 Million Users

Follow me on Twitter or LinkedIn. Check out my website.

I'm a three-decade veteran technology journalist and have been a contributing editor at PC Pro magazine since the first issue in 1994. A three-time winner of the BT Sec

...