When Netskope Threat Labs reviews a cloud service, we commonly identify two types of threats: malicious actors actively abusing the service and normal users putting themselves at unnecessary risk by misconfiguring the service. This post is one in a series where we discuss both of these threats against a specific service and provide recommendations to users to protect themselves. Today’s topic: Google Calendar.
First, we discuss “Leaky Calendars:” These are calendars and events that users have accidentally made public. Our research has yielded hundreds of leaky calendars. Event descriptions can contain sensitive information or private links, and we provide some stats indicating how much sensitive information we have found in Google Calendar. Making those events public can lead to sensitive data exposure. We also provide steps to check if you have accidentally exposed your calendars and how to lock them down if you have.
We will highlight a threat propagating through Google Calendar: Scams spreading through Calendar invitations, covered widely by the media in June 2019. We also recommend steps a user can take to mitigate the impact of these threats.
Google Calendar
Google Calendar allows you to share calendars to let others know your availability or the details of your agenda. Calendar settings have an option called “Access Permissions”, that allows controlled access to people via a shared link as shown in Figure 1.
Figure 1: Shareable link to Google Calendar
The above option grants access permissions to specific users. As an alternative, Google has an option to make the calendar public as shown in Figure 2.
Figure 2: Making Google Calendar public
While enabling this option, the user is warned that enabling the action will make the calendar public, and that it will be searchable, as shown in Figure 3.