Just One Click To Leak Your Google Calendar

Earlier in September, Google was finally notified of a serious—yet simple—problem with Google Calendars.

They were working on a fix that prevented malicious calendar invites for Google Calendar users. This serious vulnerability (now fixed) could have opened hug cans of worms that potentially could have wreaked havoc by penetrating your network through a seemingly harmless Google invite.

But as the month went on, entirely different weaknesses in Google Calendar were exposed. What we later found out was Google Calendar had a serious security risk.

While easily fixed by changing default settings (something a good majority of businesses using Google’s products had no idea of), Google Calendar users were able to share calendars from your entire organization simply with one harmless click.

While sharing a calendar isn’t regarded as a security vulnerability from Google’s perspective, it may leave you just a click away to sharing with strangers your client’s names, your business processes, meetings and information that you might not feel comfortable having everyone see.

All of this information—anything you might have stored in your calendar—was just one click away from getting published to the world. Could you imagine being the person that accidentally clicked one single button that shared every single calendar event within your business?

Could you imagine being the business that now has its entire calendar shared with the world?

While many businesses did not initially see this Google Calendar flaw as a problem, security experts certainly saw privacy issues and potential security implications long term.

To start, what is the deal with Google Calendar settings?

Google admits that organizations vulnerable to this Google Calendar flaw have misconfigured settings. Digging a little deeper into the root cause of this problem, it seems like this problem isn’t really a bug with Google, but rather how Google designed the software. By default, Google allowed anyone that uses your calendar to share that information publically.

If you take a look into your Google Calendar Settings, you can restrict that sharing ability to particular people, say administrators of the calendar. BUT, by default, Google has set everyone who has access to that calendar with the ability to share whatever you might have in that calendar.

Why would you share a calendar with someone else?

I’m sure you have a variety of events within your organization that you want your team to be aware of. Maybe its birthday celebrations, company outings, meetings, or deadlines. Maybe you have different groups within your organization that set up specific educational seminars.

When someone wants to share information, they can use a Google Calendar to set up events and update them in real-time, keeping everyone in the loop. Sounds like a great idea, right?

They make sure that the calendar is made public to people that are intended on seeing and knowing about the events.

What we see is that more often than not, these calendars have more information than you would typically want to share with anyone outside of your team.

And with one click, one user that has access to that calendar may click the option to “make available to public”, which then in turn allows anyone to see the calendar’s complete information. There are some other options, one of which restricts the type of information shown as simply “free” or “busy” time. But for most folks, all of the calendar information is out in the open and at risk of being exposed with simply one click to publish it.

How to stop sharing a calendar publically?

A user will uncheck the public box. One caveat here is that Google acknowledges that it may take up to 4 hours to make something private again, once it had been made public.

Just to emphasize what public means in Google’s eyes, take a look at their disclaimer:

So, what’s the privacy problem with Google Calendar again?

“Making your calendar public will make all events visible to the world, including by way of Google search. Are you sure?”

By affirming that you want to make your calendar public, you or someone on your team is affirming that there is no privacy issues with sharing the information within your calendar (that may not be the case!).

Another major problem we see?

When users click on the public box, most intend that public means to make it public within their team. The big issue is that is not what Google intends public to be. Anyone can find your calendar, even if they don’t have a specific link. If your calendar settings allow employees that shouldn’t have control over it to add or edit events (this again is the default), your company information published on your calendar may very well be leaked.

How can an organization using Google Calendar mitigate this risk?

If you use GSuite, you will want to make sure you have applied a universal, organization-wide setting so that all public calendars only display a free or busy status (no pertinent information). This should have been the default, but in many cases, GSuite has been misconfigured within organizations and this setting is not properly set up correctly.

One Big Point?

Misconfigurations represents one of the biggest reasons your network runs slow, you have security vulnerabilities, or you are sharing your Google Calendars’ full information with the public. One of the easiest ways to see where your misconfigurations lie is through a network security assessment.

Scroll to Top