• Thousands of Google Calendars have been found to be exposing private data online.
  • More than 8000 such Google Calendars were discovered. These were indexed by Google’s search engine which means anyone can access data and add events to these Calendars.

Avinash Jain, a security researcher from India discovered these Google Calendars and published a blog post about it.

Not a vulnerability but a misconfiguration

This is not a bug or vulnerability in the Google Calendar services. It is the intended behavior for collaboration.

Employees may make calendars public for a specific group of people and intend to share the link with them only. But it gets indexed on Google and anyone can access it.

“While this is more of an intended setting by the users and intended behavior of the service but the main issue here is that anyone can view anyone public calendar, add anything on it — just by a single search query without being shared the calendar link,” says Avinash in the blog.

What is the significance?

The discovered calendars belonged to various organizations and exposed sensitive information such as internal presentation links, employee email addresses, event names, and more.

  • This means that a single employee’s mistake may cause sensitive organizational data to be public.
  • An advanced search query on Google can list all publicly shared calendars and grant access to the sensitive data they contain.
  • Google doesn’t notify the Calendar creator when someone accesses it or adds an event. This makes it hard for users to identify if someone other than the intended group of people is accessing it.

What can you do?

Check your Google Calendar settings to make sure you’re not unintentionally making your data public.

  • GSuite admins can go through Google’s guide to understand better how the sharing works.
  • There is also an option of creating alerts when Google docs, presentations, and calendars go public.
Cyware Publisher