Google Calendar Privacy Concerns RaisedCompanies Need to Be Aware of Risks
A misconfiguration in a Google Calendar function that allows Google to index calendars raises serious privacy concerns because it could lead to inadvertent, broad public exposure of calendars that contain sensitive information, including corporate details, a researcher reports.
Avinash Jain, a security researcher at Grofers, an e-commerce company in India, recently pinpointed the privacy concern involving calendar sharing - the latest in a series of privacy issues he's called attention to at Google, Yahoo and others.
Google Calendar users have several options for sharing their calendar so others can view upcoming events. But Jain discovered that any calendar designated as "public" for sharing gets indexed by Google and then can be viewed by anyone making a Google search query, without the calendar link being shared with them.
Google did not respond to Information Security Media Group's request for comment. But in a reply to Forbes, it stated: "Calendar sharing is private by default for both G Suite and consumer Calendar users. G Suite admins can control the level of detail with which enterprise users can share their calendar externally. A G Suite user cannot exceed the level of event details allowed by their admin for external sharing. Calendar sharing is also private by default for all consumer accounts. A consumer user can only share by changing this setting, in which they are notified of how their calendar will become visible to the public."
U.K.-based Jake Moore, cybersecurity specialist for ESET, an anti-virus company, tells Information Security Media Group that companies using Google calendars must generate user awareness of the risks involved in making them public.
"If companies choose to use Google for their business calendar events, such firms must consider providing adequate training to make sure their employees understand the risks around keeping their company data secure," he says.
Organizations should use the functions of a G Suite admin role, such as setting up an alert when a user makes a calendar public, he adds.
The Risks Involved
Twelve years ago, Google added its "make it public" feature to its web-based calendar service as a way for users to discover events through search engines, Jain notes. "I only recently discovered that sensitive corporate information can inadvertently be made public using Google Calendar," he says.
Inadvertently exposing a calendar can pose risks, security experts say. For example, a calendar might include sensitive information about an upcoming board meeting. The below image shows that.
Jain claims that there are over 8,000 publicly accessible Google calendars searchable using the Google engine that allow anyone to not only access sensitive details saved to them but also add new events with maliciously crafted information or links.
Google doesn't notify the creator of a public calendar when someone accesses it or adds an event to it, Jain says. Plus, the Google Calendar interface lacks an indicator that a calendar has been designated public so users know not to post sensitive information on it, he adds.
Some security experts are calling on Google to add these and other extra security functions.
Jain points out the recent case involving Shopify, a Canadian e-commerce company. Employees had their Google Calendars set to public, which enabled a researcher to access confidential and sensitive company information.
"By using a tool to find all "@shopify.com" emails, and then running this list through a Google Calendar feature that enables the adding of other people's calendars, the researcher found the public employee ones," Jain says. Information that was accessible included onsite interview data that revealed new hire information as well as internal company presentations and Zoom meeting links that put internal information at risk, Jain says.
Anthony Lim, an independent cybersecurity consultant based in Singapore, say calendar users often don't pay attention to the details.
"Typically, most of us do not bother about calendars since it is something we take for granted," he says. "Google can't be entirely faulted because they do give out a warning to users. However, as users, most of us do not understand the complete implications of the warning. So we tend to grant permission [for public access]."
As a result, users of various services, including Google Calendar, need simpler tools to make clear security choices, says Singapore-based Jerry Ray, COO at SecureAge Technology.