Way again in 2017, two researchers at Black Hills Information Security disclosed how a vulnerability within the Google Calendar app was leaving greater than a billion customers open to a credential-stealing exploit. Google apparently did not repair this on the time as it could have induced “major functionality drawbacks” for Calendar customers, regardless of these researchers demonstrating how they’d weaponized the vulnerability on the Wild West Hackin’ Fest. Fast-forward to June 11, 2019, and I reported how the vulnerability was nonetheless placing 1.5 billion Gmail customers in danger. A Google spokesperson responded to my story by insisting that “Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse.” That assertion went on to say that Google provides “security protections for users by warning them of known malicious URLs via Google Chrome’s Safe Browsing filters.” Now, it appears, Google is lastly taking this safety downside considerably extra significantly.
How does the Google Calendar assault work?
Gmail customers are discovering themselves on the unsuitable finish of a complicated rip-off which leverages misplaced belief by way of the usage of malicious and unsolicited Google Calendar notifications.
Google Calendar permits anybody to schedule a gathering with you, and Gmail is constructed to combine tightly with this calendaring performance. Combine these two information and customers discover themselves in a state of affairs whereby the menace actor can use this non-traditional assault vector to bypass the growing quantity of consciousness amongst common customers in the case of the hazard of clicking unsolicited hyperlinks.
When a calendar invitation is distributed to a person, a pop-up notification seems on their smartphone. The menace actors craft their messages to incorporate a malicious hyperlink, leveraging the belief that person familiarity with calendar notifications brings with it. Those hyperlinks can result in a faux on-line ballot or questionnaire with a monetary incentive to take part and the place checking account or bank card particulars may be collected.
It’s unsuitable to consider this as simply being spam, as Google seems to need to classify it, or for that matter simply one other phishing scheme. “Beyond phishing, this attack opens up the doors for a whole host of social engineering attacks,” Javvad Malik, safety consciousness advocate at KnowBe4, stated after I wrote that first report. Malik instructed me that to achieve entry to a constructing, for instance, an attacker may use a calendar invite for an interview or a constructing upkeep appointment which, he warned, “could allow physical access to secure areas.”
Google confirms the Calendar app safety downside
Now, it could seem, Google is lastly taking this menace methodology considerably extra significantly. In a posting to the Google Calendar Help Community discussion board, Lesley Pace, a Google Employee, states that “We’re aware of the spam occurring in Calendar and are working diligently to resolve this issue. We’ll post updates to this thread as they become available.”
Although I’m unhappy that Google continues to be referring to this as a spam difficulty, fairly than explicitly a safety one, at the very least it reveals that Google not solely confirms there’s a downside in any case but in addition that it’s dedicated to fixing it.
That identical posting included a hyperlink to “learn how to report and remove spam,” which is value studying because it incorporates hands-on recommendation for each Google Calendar person who is worried about getting caught out by this specific assault. Which, in my by no means humble opinion, needs to be each Google Calendar person.
This contains delving into Calendar settings and altering the “Event” configuration from “Automatically add invitations” to “No, only show invitations to which I have responded.” Users are additionally suggested to take away the automated including of occasions operate from Gmail by configuring the “Events from Gmail” choice in order that the “Add automatically” field is unchecked.
If you’re a person of calendar providers from Apple or Microsoft, then there are related points that want resolving. Some good recommendation for Apple Calendar and Microsoft Calendar (through Web/Outlook Web Access) may be discovered courtesy of safety consciousness specialists PhishingTackle.
Updated September 10: This article has been up to date with recommendation for Apple and Microsoft customers dealing with related issues.