{"id":577,"date":"2019-09-18T10:05:18","date_gmt":"2019-09-18T09:05:18","guid":{"rendered":"http:\/\/zerothcode.com\/blog\/?p=577"},"modified":"2019-11-26T07:07:46","modified_gmt":"2019-11-26T07:07:46","slug":"google-calendars-leaking-information","status":"publish","type":"post","link":"https:\/\/zerothcode.com\/blog\/google-calendars-leaking-information\/","title":{"rendered":"Thousands of Google Calendars Possibly Leaking Private Information Online"},"content":{"rendered":"
\n
\"google<\/a>
public google calendar<\/figcaption><\/figure>\n<\/div>\n

“Warning \u2014 Making your calendar public will make all events visible to the world, including via Google search. Are you sure?” Google Calendars<\/p>\n

Remember this security warning? No? Google Calendars<\/p>\n

If you have ever shared your Google Calendars, or maybe\u00a0inadvertently, with someone that should not be publicly accessible anymore, you should immediately<\/p>\n

go back to your\u00a0Google settings<\/a>\u00a0and check if you’re exposing all your events and business activities on the Internet accessible to anyone.<\/p>\n

At the time of writing, there are over 8000 publicly accessible Google Calendars, searchable using Google engine itself, that allow anyone to not only access sensitive Google Calendars<\/p>\n

details saved to them but also add new events with maliciously crafted information or links, security researcher Avinash Jain told The Hacker News.<\/p>\n

Avinash Jain<\/a>, a security researcher from India working in an e-commerce company, Grofers,<\/p>\n

who previously found vulnerabilities in other platforms like NASA, Google, Jira, and Yahoo.<\/p>\n

“I was able to access public calendars of various organizations leaking out sensitive details like their email ids, their event name, event details, location, meeting links, zoom meeting links,<\/p><\/blockquote>\n

google hangout links, internal presentation links and much more,” Avinash says in a post exclusively\u00a0shared<\/a>\u00a0with The Hacker News.<\/p><\/blockquote>\n

Well, since it’s intended behavior of the Calendar Service that comes as a handy feature to collaborate with people by making a Calendar public, one can not directly blame Google for the exposed data. Google Calendars<\/p>\n

\n
\"public<\/a>
public google calendar<\/figcaption><\/figure>\n<\/div>\n

 <\/p>\n

\n
\"public<\/a>
public google calendar<\/figcaption><\/figure>\n<\/div>\n

 <\/p>\n

“While this is more of an intended setting by the users and intended behavior of the service but the main issue here is that anyone can view anyone public calendar, add anything on it\u2014just by a single search query without being shared the calendar link,” Avinash says. Google Calendars<\/p><\/blockquote>\n

Also, the issue is really not new, instead it was first\u00a0raised 12 years ago<\/a>\u00a0when Google added this \u201cmake it public\u201d feature to its web-based calendar service as a cool way for users to discover exciting events through the search engines,<\/p>\n

but a few quick searches revealed sensitive corporate information that was inadvertently made public using Google Calendar.<\/p>\n

As the researcher says since Google doesn’t notify the creator of a public Calendar when someone accesses it or adds an event to it,<\/div>\n
the feature makes it harder for users to know if they are exposing information unintentionally<\/div>\n
\n

and are even open to spammers and phishers as well.<\/p>\n

Besides this, there’s also no graphical indication on the Calendar interface from where users can get a hint that they had made that Calendar public and should stop adding personal events to the same.\u00a0 Google Calendars<\/p>\n

Using an advanced Google search query (Google Dork), one can list all publicly available Calendars within seconds and access every information,<\/p>\n<\/div>\n

\n

including sensitive corporate data belonging to some organizations, as shown in the screenshots shared by Avinash.<\/p>\n

“Various calendars belonged to many of the top 500 Alexa company’s employees as well, which intentionally\/unintentionally were made public by the employee themselves,” Avinash warns.<\/p><\/blockquote>\n

A few months ago, security firm Kaspersky also\u00a0discovered<\/a>\u00a0scammers abusing Google Calendar service to target users with credential-stealing attacks, where phishers were sending victims an email containing a crafted event invitation with malicious links.<\/p>\n

In case if a user wants to share a Calendar with someone privately, Google also allows users to invite specific users by adding their email addresses under Calendar settings, instead of making them accessible to the public.<\/p>\n<\/div>\n

Read More About Dep Web<\/a><\/p>\n

Have something to say about this article? Comment below or share it with us on\u00a0Facebook<\/a>,\u00a0Twitter<\/a>\u00a0or our\u00a0LinkedIn Group<\/a>.<\/div>\n","protected":false},"excerpt":{"rendered":"

“Warning \u2014 Making your calendar public will make all events visible to the world, including via Google search. Are you<\/p>\n","protected":false},"author":1,"featured_media":578,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[37],"tags":[159],"yst_prominent_words":[273,278,271,277,269,288,263,284,274,276,275,279,285,290,289,264,286,272,287,170],"class_list":["post-577","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackers-news","tag-hackers-news"],"_links":{"self":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/577","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/comments?post=577"}],"version-history":[{"count":0,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/577\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media\/578"}],"wp:attachment":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media?parent=577"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/categories?post=577"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/tags?post=577"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=577"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}