Google Calendar has been popular for some time now with businesses and individuals for its ease-of-use, flexibility and integration with Google Accounts. Of all of its features, however, the one-click calendar invite has been among the most frequently used. Thanks to Google, all it takes to set a meeting or plan an event is a simple email and response chain.
On the flip side, though, calendar invites have also proven to be the platform’s Achilles heel. Previously, a security flaw in calendar invites allowed cybercriminals to target Google users with phishing scams and spam messages. Now, a new vulnerability discovered in Google Calendar has the potential to cause users even more pain than before.
Researchers have discovered that a default setting in Google’s Calendar app can potentially show your entire schedule to the entire internet. What’s worse, with this setting enabled, calendar events and private data can even be accessed by search. If you care about keeping your activities private, here’s the one setting in Google Calendar you should never enable under any circumstances.
Public calendars are, quite literally, ‘public’
According to new reports from Forbes, a security researcher working at Indian e-commerce firm Grofers discovered a vulnerability in Google’s Calendar settings that makes it easy for anyone to see and access your private schedule.
Avinash Jain, the researcher, claims he was inspired to look deeper into Google Calendar in response to previous issues with malicious calendar invites and was shocked to discover just how vulnerable the entire system was in terms of privacy. No, this isn’t anything to do with misconfigured code or a bug, but rather the open nature of Google’s platform.
Google Calendar has long had the option for calendar sharing, which allows people to plan and schedule events collaboratively. One option, built into Google’s system, allows users to make their calendars public.
What most users aren’t aware of, however, is how “public” the calendar truly becomes, with all events, times, locations and names of attendees all visible and searchable via Google. This means that anyone looking up your company could easily find your public calendar through a normal search, a consequence that is quite concerning.
Is this normal?
Unfortunately, public calendars are all part of the intended usage for Google’s platform, but that doesn’t make the issue any safer. A public calendar, for example, could be harnessed by a stalker to know exactly where you and your coworkers are on any given day. And that’s not even including the privacy implications of sharing details of each attendee.
To Google’s credit, it does inform you that, by taking a calendar public, you are making it “known to the world” and available on Google search. Despite this, a staggering amount of people continue to make calendar events public without knowing the full scope of what that entails.
A dedicated cybercriminal, for example, could easily utilize a public calendar to find the email addresses of everyone involved with an event. That’s why it’s in your best interest to keep your calendars private, or at the very least, between you and the invitees only.
Between open invites that let spam and malicious events into publicly displayed events for the whole internet to see, Google has a lot of work to do in order to make its calendar more secure.
Seeing that many of the issues listed are part of the calendar’s default setup, the company may need to consider rebuilding from the ground up. In an ever-changing digital battlefield, security is tantamount to usability. Otherwise, Google may find its users jumping ship to a safer service.