Google Calendar is a wonderful feature by Google with regards to defining events. However, misconfiguring Google Calendar settings can reveal events to the public. This applies to all private and business events.
Google Calendar Events Go Public
Security researcher Avinash Jain has discovered how ignoring some settings of Google Calendar can share the events publicly. He has elaborated his findings in a blog post.
According to the researcher, Google Calendar has numerous dedicated settings to manage event sharing. Through these settings, the users can control whether to disclose an event to specific users or the public.
While that sounds a useful feature, the problem lies with the events’ indexing with Google. Specifically, anyone can search all such public events using Google dorks (advanced search parameter).
The researcher himself found over 200 such events, many of which should ideally be private. However, due to the misconfiguration, these events appeared in searches. These events also disclosed other sensitive data to the public. As stated by the researcher,
It provided me access to private information about the company’s meetings, interviews, events, internal information, presentation links, locations, etc…
I was able to access public calendars of various organizations leaking out sensitive details like their email ids, their event name, event details, location, meeting links, zoom meeting links, google hangout links, internal presentation links and much more.
Whereas, anyone can also search for events for a specific user simply via his or her email address. Doing so merely requires anyone to type the personal or company email address in the following ways in the URL bar.
Is There a Fix?
The exposure of Google Calendar events to the public is not really a vulnerability. Rather it’s a ‘feature’ offered by Google to users. The problem lies because the users may not figure out when they inadvertently make their events public since they do not receive any notifications in this regard. Thus, the users unknowingly leave the settings as is, making the events visible to the public.
Addressing this issue isn’t a big deal. Google offers detailed Calendar settings to manage event sharing. Moreover, according to their statement quoted by BleepingComputer, the default Calendar settings are already private.
Calendar sharing is private by default for both G Suite and consumer Calendar users. G Suite admins can control the level of detail with which enterprise users can share their calendar externally. A G Suite user cannot exceed the level of event details allowed by their admin for external sharing. Calendar sharing is also private by default for all consumer accounts. A consumer user can only share by changing this setting, in which they are notified of how their calendar will become visible to the public.
Let us know your thoughts in the comments.