Netskope named a Leader in the 2022 Gartner® Magic Quadrant™ for Security Service Edge. Get the Report.

  • Platform

    Unrivaled visibility and real-time data and threat protection on the world's largest security private cloud.

  • Products

    Netskope products are built on the Netskope Security Cloud.

Netskope delivers a modern cloud security stack, with unified capabilities for data and threat protection, plus secure private access.

Explore our platform

Netskope Named a Leader in the 2022 Gartner Magic Quadrant™ for SSE Report

Get the report

Make the move to market-leading cloud security services with minimal latency and high reliability.

Learn more

Prevent threats that often evade other security solutions using a single-pass SSE framework.

Learn more

Zero trust solutions for SSE and SASE deployments

Learn more

Netskope enables a safe, cloud-smart, and fast journey to adopt cloud services, apps, and public cloud infrastructure.

Learn more
  • Customer Success

    Secure your digital transformation journey and make the most of your cloud, web, and private applications.

  • Customer Support

    Proactive support and engagement to optimize your Netskope environment and accelerate your success.

Trust Netskope to help you address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements.

Learn more

We have qualified engineers worldwide, with diverse backgrounds in cloud security, networking, virtualization, content delivery, and software development, ready to give you timely, high-quality technical assistance.

Learn more
  • Resources

    Learn more about how Netskope can help you secure your journey to the cloud.

  • Blog

    Learn how Netskope enables security and networking transformation through security service edge (SSE).

  • Events & Workshops

    Stay ahead of the latest security trends and connect with your peers.

  • Security Defined

    Everything you need to know in our cybersecurity encyclopedia.

Security Visionaries Podcast

Bonus Episode: The Importance of Security Service Edge (SSE)

Play the podcast

Read the latest on how Netskope can enable the Zero Trust and SASE journey through security service edge (SSE) capabilities.

Read the blog

Join us for a complimentary, hands-on cloud security workshop that’ll teach you how to securely adopt cloud services within the enterprise.

Find a workshop

What is Security Service Edge?

Explore the security side of SASE, the future of network and protection in the cloud.

Learn more
  • Company

    We help you stay ahead of cloud, data, and network security challenges.

  • Why Netskope

    Cloud transformation and work from anywhere have changed how security needs to work.

  • Leadership

    Our leadership team is fiercely committed to doing everything it takes to make our customers successful.

  • Partners

    We partner with security leaders to help you secure your journey to the cloud.

Netskope enables the future of work.

Find out more

Netskope is redefining cloud, data, and network security to help organizations apply Zero Trust principles to protect data.

Learn more

Thinkers, builders, dreamers, innovators. Together, we deliver cutting-edge cloud security solutions to help our customers protect their data and people.

Meet our team

Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.

Learn more
Blog Threat Labs Leaky Calendars – Accidental Exposure in Google Calendar
Feb 04 2020

Leaky Calendars – Accidental Exposure in Google Calendar

When Netskope Threat Labs reviews a cloud service, we commonly identify two types of threats: malicious actors actively abusing the service and normal users putting themselves at unnecessary risk by misconfiguring the service. This post is one in a series where we discuss both of these threats against a specific service and provide recommendations to users to protect themselves. Today’s topic: Google Calendar.

First, we discuss “Leaky Calendars:” These are calendars and events that users have accidentally made public. Our research has yielded hundreds of leaky calendars. Event descriptions can contain sensitive information or private links, and we provide some stats indicating how much sensitive information we have found in Google Calendar. Making those events public can lead to sensitive data exposure. We also provide steps to check if you have accidentally exposed your calendars and how to lock them down if you have.

We will highlight a threat propagating through Google Calendar: Scams spreading through Calendar invitations, covered widely by the media in June 2019. We also recommend steps a user can take to mitigate the impact of these threats.

Google Calendar

Google Calendar allows you to share calendars to let others know your availability or the details of your agenda. Calendar settings have an option called “Access Permissions”, that allows controlled access to people via a shared link as shown in Figure 1.

Figure 1: Shareable link to Google Calendar

The above option grants access permissions to specific users. As an alternative, Google has an option to make the calendar public as shown in Figure 2.

Figure 2: Making Google Calendar public

While enabling this option, the user is warned that enabling the action will make the calendar public, and that it will be searchable, as shown in Figure 3.

Figure 3: Warning message on making the calendar public

Enabling this option will expose your calendar to the public Internet, which makes it easy for others to find your data. As this option enables everyone to see all event details, this presents exposure concerns — event descriptions may contain private information or links to private resources. We commonly find videoconferencing links and internal documents shared in event descriptions. Often, these links don’t have any authentication and are meant to be kept private. Once exposed by a leaky calendar, these links can be used by anyone. We have observed hundreds of such calendar invites exposed to the public which appear to have been shared accidentally.

We recommend double checking that your calendars do not have the “Make available to public” option selected.  If you need the public to know when you are free, for example to schedule appointments with you, we recommend enabling the “See only free / busy (hide details)” option as shown in Figure 4. This option can only be selected after “Make available to public” is selected. 

Figure 4: Options for making the calendar available to public

Enterprises have the added options of sharing a calendar within their organization and and with other Google apps, as shown in Figure 5.

Figure 5: Enterprise Users recommended setting for Google Calendars

Lastly, we look at threats against Google calendar that abuse the “Automatically add invitations” setting, shown in Figure 6.  

Figure 6: Event settings option

Attackers send victims calendar invites with spamvertised links as described here. By default, the invitations are added to the victims calendar and present notifications to the user as the event nears. We recommend users change this option, to either suppress event notifications or only show events in the calendar after they have been accepted, shown in Figure 7.

Figure 7. Invitations options

Conclusion

This first edition of our leaky cloud apps series provided a preliminary overview of how confidential information gets leaked through Google Calendar. The leaked information could give adversaries access to additional data and infrastructure.  We recommend auditing your calendar and event settings to ensure you aren’t leaking any information. We also describe a common threat — Google Calendar Spam — that we recommend mitigating by disabling automatic notifications.

Stay tuned for our next edition, which will cover Google Groups.

author image
About the author
Ashwin Vamshi is a Security Researcher with innate interest in targeted attacks and malwares using cloud services. He is primarily focusing in identifying new attack vectors and malwares, campaigns and threat actors using ‘cloud as an attack vector.’
Ashwin Vamshi is a Security Researcher with innate interest in targeted attacks and malwares using cloud services. He is primarily focusing in identifying new attack vectors and malwares, campaigns and threat actors using ‘cloud as an attack vector.’