Google’s email service is used by upwards of 1.5 billion people. The Google Calendar app, meanwhile, has been downloaded more than a billion times from the Play Store. Security researchers warned that threat actors are exploiting the popularity of both in order to target users with a credential-stealing attack — As published on forbes.com
Recently I came across an article which talked about how users of the Gmail service — Google Calendar are being targeted through the use of malicious and unsolicited Google Calendar notifications by automatic addition of invitation into a user’s calendar. This risk clearly talks about how misconfigured settings in google services by its users/clients can be exploited. Researching more into this, I found that there are several settings in Google calendar which enables users to share their calendar with specific users —
and also one can make their calendar public so that anyone with the shared link can see it.
This is an intended feature provided by Google Calendar but what if a user doesn’t intend to share the calendar until he shares the link and still someone is able to find the public link of their calendar. Then that becomes a problem. And what if someone belonging to an organization makes their official google calendar public — They might end up disclosing internal information of the company!
What I found is that — Using a single Google dork (advance search query), I am able to list down all the public google calendar or users who all have set their calendar as public. I found dozens of calendars which are indexed by google’s search engines, revealing or disclosing several sensitive information. It provided me access to private information about the company’s meetings, interviews, events, internal information, presentation links, locations, etc. I have found more than 200+ such calendar which is marked as public and indexed by Google search engine. Hence making anyone’s public calendar searchable over the internet.
Alternatively, anyone can easily find anyone’s public calendar by just putting his/her email address in the below URL -
Google dork (advance search query) to list publicly available calendars -
For the proof of concept purpose, below are some of the calendars that I was able to access and anyone else could’ve done the same, as these are available publicly and disclosing sensitive information of various people/organizations-
Below screenshot shows the list of only some calendars which I was able to add into mine -
I was able to access public calendars of various organizations leaking out sensitive details like their email ids, their event name, event details, location, meeting links, zoom meeting links, google hangout links, internal presentation links and much more.
Various calendars belonged to many of the top 500 Alexa company’s employees as well, which intentionally/unintentionally were made public by the employee themselves.
There is also a hackerone report (https://hackerone.com/reports/48928) on this where a researcher found a Shopify's employee public calendar and was able to access the below information-
- New hire information ( due to onsite interviews )
- Internal presentation ( some internal presentation that we could access )
- Zoom meetings link — These meetings can be accessed without login which puts a lot of internal information at risk.
He brute-forced the company's user’s mail address against the link mentioned above also -https://calendar.google.com/calendar/b/1/r?cid=users_mail_address@company_name.com.
Shopify rewarded 1500 USD to the researcher.
The vulnerability is due to the public visibility set on the google calendar by the users and then the setting is left as is. With Google not sending any notification to the users warning them about their calendar visibility, or to the organization if any of their employees making the calendar public and hence end up disclosing their calendar, with all the previous and future update/events/information set to public accessibility.
While this is more of an intended setting by the users and intended behavior of the service but the main issue here is that anyone can view anyone public calendar, add anything on it — just by a single search query without being shared the calendar link. People might have made their calendar to public for some particular org/company/people and intend to share the URL with them only but instead, it gets indexed by google search and listed publicaly searchable over the internet and anyone without knowing any link can find it. People who are not made intended to see someone’s calendar can now also access it. What makes it more threatening is if the calendar has misconfigured settings that allow users to add events/links into it. And also as seen in the Shopify case above, one employee’s mistake can cost an organisation’s information to be leaked.
The fix for this: https://support.google.com/a/answer/60765?hl=en. You can set the calendars to only say Free/Busy if anyone wants to make their calendar public. GSuite admin can also create alerts for when Google docs, presentations, and calendars go public.