Digital Identity , Governance & Risk Management , Privacy

Google Calendar Privacy Concerns Raised

Companies Need to Be Aware of Risks
Google Calendar Privacy Concerns Raised

A misconfiguration in a Google Calendar function that allows Google to index calendars raises serious privacy concerns because it could lead to inadvertent, broad public exposure of calendars that contain sensitive information, including corporate details, a researcher reports.

See Also: An Identity Security-first Approach to the Evolving Threat Landscape

Avinash Jain, a security researcher at Grofers, an e-commerce company in India, recently pinpointed the privacy concern involving calendar sharing – the latest in a series of privacy issues he’s called attention to at Google, Yahoo and others.

Google Calendar users have several options for sharing their calendar so others can view upcoming events. But Jain discovered that any calendar designated as “public” for sharing gets indexed by Google and then can be viewed by anyone making a Google search query, without the calendar link being shared with them.

Google did not respond to Information Security Media Group’s request for comment. But in a reply to Forbes, it stated: “Calendar sharing is private by default for both G Suite and consumer Calendar users. G Suite admins can control the level of detail with which enterprise users can share their calendar externally. A G Suite user cannot exceed the level of event details allowed by their admin for external sharing. Calendar sharing is also private by default for all consumer accounts. A consumer user can only share by changing this setting, in which they are notified of how their calendar will become visible to the public.”

Take Precautions

U.K.-based Jake Moore, cybersecurity specialist for ESET, an anti-virus company, tells Information Security Media Group that companies using Google calendars must generate user awareness of the risks involved in making them public.

“If companies choose to use Google for their business calendar events, such firms must consider providing adequate training to make sure their employees understand the risks around keeping their company data secure,” he says.

Organizations should use the functions of a G Suite admin role, such as setting up an alert when a user makes a calendar public, he adds.

The Risks Involved

Twelve years ago, Google added its “make it public” feature to its web-based calendar service as a way for users to discover events through search engines, Jain notes. “I only recently discovered that sensitive corporate information can inadvertently be made public using Google Calendar,” he says.

The warning box pops up when users agree to share their calendars publicly.

Inadvertently exposing a calendar can pose risks, security experts say. For example, a calendar might include sensitive information about an upcoming board meeting. The below image shows that.

A sample of exposed calendar data (Source: Avinash Jain)

Jain claims that there are over 8,000 publicly accessible Google calendars searchable using the Google engine that allow anyone to not only access sensitive details saved to them but also add new events with maliciously crafted information or links.

Google doesn’t notify the creator of a public calendar when someone accesses it or adds an event to it, Jain says. Plus, the Google Calendar interface lacks an indicator that a calendar has been designated public so users know not to post sensitive information on it, he adds.

Some security experts are calling on Google to add these and other extra security functions.

Jain points out the recent case involving Shopify, a Canadian e-commerce company. Employees had their Google Calendars set to public, which enabled a researcher to access confidential and sensitive company information.

“By using a tool to find all "@shopify.com" emails, and then running this list through a Google Calendar feature that enables the adding of other people's calendars, the researcher found the public employee ones,” Jain says. Information that was accessible included onsite interview data that revealed new hire information as well as internal company presentations and Zoom meeting links that put internal information at risk, Jain says.

Risks Overlooked

Anthony Lim, an independent cybersecurity consultant based in Singapore, say calendar users often don’t pay attention to the details.

“Typically, most of us do not bother about calendars since it is something we take for granted,” he says. “Google can’t be entirely faulted because they do give out a warning to users. However, as users, most of us do not understand the complete implications of the warning. So we tend to grant permission [for public access].”

As a result, users of various services, including Google Calendar, need simpler tools to make clear security choices, says Singapore-based Jerry Ray, COO at SecureAge Technology.


About the Author

Suparna Goswami

Suparna Goswami

Associate Editor, ISMG

Goswami has more than 10 years of experience in the field of journalism. She has covered a variety of beats including global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia, where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine and leading Indian newspapers, such as DNA and Times of India.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.