When Netskope Threat Labs reviews a cloud service, we commonly identify two types of threats: malicious actors actively abusing the service and normal users putting themselves at unnecessary risk by misconfiguring the service. This post is one in a series where we discuss both of these threats against a specific service and provide recommendations to users to protect themselves. Today’s topic: Google Calendar.
First, we discuss “Leaky Calendars:” These are calendars and events that users have accidentally made public. Our research has yielded hundreds of leaky calendars. Event descriptions can contain sensitive information or private links, and we provide some stats indicating how much sensitive information we have found in Google Calendar. Making those events public can lead to sensitive data exposure. We also provide steps to check if you have accidentally exposed your calendars and how to lock them down if you have.
We will highlight a threat propagating through Google Calendar: Scams spreading through Calendar invitations, covered widely by the media in June 2019. We also recommend steps a user can take to mitigate the impact of these threats.
Google Calendar allows you to share calendars to let others know your availability or the details of your agenda. Calendar settings have an option called “Access Permissions”, that allows controlled access to people via a shared link as shown in Figure 1.
Figure 1: Shareable link to Google Calendar
The above option grants access permissions to specific users. As an alternative, Google has an option to make the calendar public as shown in Figure 2.
Figure 2: Making Google Calendar public
While enabling this option, the user is warned that enabling the action will make the calendar public, and that it will be searchable, as shown in Figure 3.
Figure 3: Warning message on making the calendar public
Enabling this option will expose your calendar to the public Internet, which makes it easy for others to find your data. As this option enables everyone to see all event details, this presents exposure concerns — event descriptions may contain private information or links to private resources. We commonly find videoconferencing links and internal documents shared in event descriptions. Often, these links don’t have any authentication and are meant to be kept private. Once exposed by a leaky calendar, these links can be used by anyone. We have observed hundreds of such calendar invites exposed to the public which appear to have been shared accidentally.
We recommend double checking that your calendars do not have the “Make available to public” option selected. If you need the public to know when you are free, for example to schedule appointments with you, we recommend enabling the “See only free / busy (hide details)” option as shown in Figure 4. This option can only be selected after “Make available to public” is selected.
Figure 4: Options for making the calendar available to public
Enterprises have the added options of sharing a calendar within their organization and and with other Google apps, as shown in Figure 5.
Figure 5: Enterprise Users recommended setting for Google Calendars
Lastly, we look at threats against Google calendar that abuse the “Automatically add invitations” setting, shown in Figure 6.
Figure 6: Event settings option
Attackers send victims calendar invites with spamvertised links as described here. By default, the invitations are added to the victims calendar and present notifications to the user as the event nears. We recommend users change this option, to either suppress event notifications or only show events in the calendar after they have been accepted, shown in Figure 7.
Figure 7. Invitations options
This first edition of our leaky cloud apps series provided a preliminary overview of how confidential information gets leaked through Google Calendar. The leaked information could give adversaries access to additional data and infrastructure. We recommend auditing your calendar and event settings to ensure you aren’t leaking any information. We also describe a common threat — Google Calendar Spam — that we recommend mitigating by disabling automatic notifications.
Stay tuned for our next edition, which will cover Google Groups.