Way back in 2017, two researchers at Black Hills Information Security disclosed how a vulnerability in the Google Calendar app was leaving more than a billion users open to a credential-stealing exploit. Google apparently didn't fix this at the time as it would have caused "major functionality drawbacks" for Calendar users, despite those researchers demonstrating how they had weaponized the vulnerability at the Wild West Hackin' Fest. Fast-forward to June 11, 2019, and I reported how the vulnerability was still putting 1.5 billion Gmail users at risk. A Google spokesperson responded to my story by insisting that "Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse." That statement went on to say that Google offers "security protections for users by warning them of known malicious URLs via Google Chrome's Safe Browsing filters." Now, it seems, Google is finally taking this security problem somewhat more seriously.
How does the Google Calendar attack work?Gmail users are finding themselves on the wrong end of a sophisticated scam which leverages misplaced trust through the use of malicious and unsolicited Google Calendar notifications.Google Calendar allows anyone to schedule a meeting with you, and Gmail is built to integrate tightly with this calendaring functionality. Combine these two facts and users find themselves in a situation whereby the threat actor can use this non-traditional attack vector to bypass the increasing amount of awareness amongst average users when it comes to the danger of clicking unsolicited links.
When a calendar invitation is sent to a user, a pop-up notification appears on their smartphone. The threat actors craft their messages to include a malicious link, leveraging the trust that user familiarity with calendar notifications brings with it. Those links can lead to a fake online poll or questionnaire with a financial incentive to participate and where bank account or credit card details can be collected.It's wrong to think of this as just being spam, as Google appears to want to classify it, or for that matter just another phishing scheme. "Beyond phishing, this attack opens up the doors for a whole host of social engineering attacks," Javvad Malik, security awareness advocate at KnowBe4, said when I wrote that first report. Malik told me that to gain access to a building, for example, an attacker could use a calendar invite for an interview or a building maintenance appointment which, he warned, "could allow physical access to secure areas."
Google confirms the Calendar app security problemNow, it would appear, Google is finally taking this threat methodology somewhat more seriously. In a posting to the Google Calendar Help Community forum, Lesley Pace, a Google Employee, states that "We're aware of the spam occurring in Calendar and are working diligently to resolve this issue. We'll post updates to this thread as they become available."
Although I am sad that Google is still referring to this as a spam issue, rather than explicitly a security one, at least it shows that Google not only confirms there is a problem after all but also that it is committed to fixing it.
That same posting included a link to "learn how to report and remove spam," which is worth reading as it contains hands-on advice for every Google Calendar user who is concerned about getting caught out by this particular attack. Which, in my never humble opinion, should be every Google Calendar user.
This includes delving into Calendar settings and changing the "Event" configuration from "Automatically add invitations" to "No, only show invitations to which I have responded." Users are also advised to remove the automatic adding of events function from Gmail by configuring the "Events from Gmail" option so that the "Add automatically" box is unchecked.