Avinash Jain, a security researcher from India discovered these Google Calendars and published a blog post about it.
Not a vulnerability but a misconfiguration
This is not a bug or vulnerability in the Google Calendar services. It is the intended behavior for collaboration.
Employees may make calendars public for a specific group of people and intend to share the link with them only. But it gets indexed on Google and anyone can access it.
“While this is more of an intended setting by the users and intended behavior of the service but the main issue here is that anyone can view anyone public calendar, add anything on it — just by a single search query without being shared the calendar link,” says Avinash in the blog.
What is the significance?
The discovered calendars belonged to various organizations and exposed sensitive information such as internal presentation links, employee email addresses, event names, and more.
What can you do?
Check your Google Calendar settings to make sure you’re not unintentionally making your data public.