Jump to content

Misconfigured Google Calendars Share Events With the World


steven36

Recommended Posts

Thousands of Google users are exposing the contents of their calendars to the public. The information is indexed by search engines and can include email addresses as well as private events from individuals and businesses.

 

121413407_1_zichmq234hun2c05iz5gya.jpg

 

The problem is due to misconfiguring Google Calendar to share its contents with others. However, making the data public means that anyone with your Calendar link can access it.

 

Google shows a warning about this but thousands of users seem to ignore it, allowing their calendars to be available in public searches. Even organizations appear to disregard the notification, ending up disclosing business-related information to the world.

Dorks are powerful

Avinash Jain, a security researcher from India working for e-commerce company Grofers discovered that using advanced search parameters (dorks) on Google can reveal meetings, interviews, events, internal information, presentation links, and locations for some companies.

 

He discovered over 200 calendars exposing information that should remain private, yet it was indexed by Google.

 

Avinash has experience at finding unprotected details using readily available methods. Putting his skills to work, he previously found a way to discover misconfigured Jira servers used by big-name companies such as Google, NASA, Lenovo, 1Password, Zendesk, or Yahoo!.

 

Finding if a specific calendar is openly accessible is as easy as running a particular query that includes the owner's email address, the researcher discloses in a blog post today. Uncovering all open calendars indexed by Google requires a more general search:

 

inurl:https://calendar.google.com/calendar?cid=

 

Using this query, at the time of writing Google lists over 7,000 results. Not all the calendars have entries, though, and it's a matter of going through them manually to find one that has sensitive information.

 

Avinash was able to find troves of sensitive details from doctors' offices, individuals, and organizations. Some of them he was able to add to his calendar are available below:

 

 

121413495_opengooglecalendarsavinash.png

 

 

Needless to say that a company leaking specifics of their meetings, links to internal presentations, or email IDs would put itself at a risk. Not just competitors could glean these details, but crooks could use them to plan a cyber attack.

Reveal only current status

Avinash told BleepingComputer that he disclosed the issue to Google, but the company replied that this is how the product is intended to work, so it is up to users to protect their data.

 

He also reported an open calendar to a company that rewarded him for his private disclosure. The researcher could not reveal the name of the company and the amount received.

 

Another researcher, though, reporting the same type of issue to Shopify got a $1,500 bounty earlier this year. He was able to glean the following details from the exposed calendar:

 

  • New hire information
  • Internal presentation
  • Zoom meetings link

 

Some users may need to share their calendars to make their schedule known to others and reduce the risk of impromptu requests or activities that would disturb their workflow.

 

A solution is to set your calendar to share minimum information about your schedule, disclosing only if you're busy or available. This is particularly recommended to GSuite admins who handle the calendars of people in an organization.

 

Google provides easy-to-follow steps to manage sharing options for users as well as to limit what and how much they can share internally and externally.

 

Source

Link to comment
Share on other sites


  • Views 500
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...