Davey Winder at Forbes analyses the Google Calendar vulnerability, original story here: https://www.forbes.com/sites/daveywinder/2019/09/09/google-finally-confirms-security-problem-for-15-billion-gmail-and-calendar-users/#61c9f7b4279f
Way back in 2017, two researchers at Black Hills Information Security disclosed how a vulnerability in the Google Calendar app was leaving more than a billion users open to a credential-stealing exploit. Google apparently didn’t fix this at the time as it would have caused “major functionality drawbacks” for Calendar users, despite those researchers demonstrating how they had weaponized the vulnerability at the Wild West Hackin’ Fest. Fast-forward to June 11, 2019, and I reported how the vulnerability was still putting 1.5 billion Gmail users at risk. A Google spokesperson responded to my story by insisting that “Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse.” That statement went on to say that Google offers “security protections for users by warning them of known malicious URLs via Google Chrome’s Safe Browsing filters.” Now, it seems, Google is finally taking this security problem somewhat more seriously.
How does the Google Calendar attack work?
Gmail users are finding themselves on the wrong end of a sophisticated scam which leverages misplaced trust through the use of malicious and unsolicited Google Calendar notifications.
Google Calendar allows anyone to schedule a meeting with you, and Gmail is built to integrate tightly with this calendaring functionality. Combine these two facts and users find themselves in a situation whereby the threat actor can use this non-traditional attack vector to bypass the increasing amount of awareness amongst average users when it comes to the danger of clicking unsolicited links.Today In: Innovation
When a calendar invitation is sent to a user, a pop-up notification appears on their smartphone. The threat actors craft their messages to include a malicious link, leveraging the trust that user familiarity with calendar notifications brings with it. Those links can lead to a fake online poll or questionnaire with a financial incentive to participate and where bank account or credit card details can be collected.
It’s wrong to think of this as just being spam, as Google appears to want to classify it, or for that matter just another phishing scheme. “Beyond phishing, this attack opens up the doors for a whole host of social engineering attacks,” Javvad Malik, security awareness advocate at KnowBe4, said when I wrote that first report. Malik told me that to gain access to a building, for example, an attacker could use a calendar invite for an interview or a building maintenance appointment which, he warned, “could allow physical access to secure areas.”
Google confirms the Calendar app security problem
Now, it would appear, Google is finally taking this threat methodology somewhat more seriously. In a posting to the Google Calendar Help Community forum, Lesley Pace, a Google Employee, states that “We’re aware of the spam occurring in Calendar and are working diligently to resolve this issue. We’ll post updates to this thread as they become available.”
Although I am sad that Google is still referring to this as a spam issue, rather than explicitly a security one, at least it shows that Google not only confirms there is a problem after all but also that it is committed to fixing it.
That same posting included a link to “learn how to report and remove spam,” which is worth reading as it contains hands-on advice for every Google Calendar user who is concerned about getting caught out by this particular attack. Which, in my never humble opinion, should be every Google Calendar user.
This includes delving into Calendar settings and changing the “Event” configuration from “Automatically add invitations” to “No, only show invitations to which I have responded.” Users are also advised to remove the automatic adding of events function from Gmail by configuring the “Events from Gmail” option so that the “Add automatically” box is unchecked.
If you are a user of calendar services from Apple or Microsoft, then there are similar issues that need resolving. Some good advice for Apple Calendar and Microsoft Calendar (via Web/Outlook Web Access) can be found courtesy of security awareness specialists PhishingTackle.
Google responds to this article
“Spam calendar invitations can include both unwanted and malicious content that deceive users similar to spam email,” a Google Cloud spokesperson says, “we are not aware of any security bugs due to the software itself. As such, it would be misleading to characterise this as a technical security vulnerability. Google is constantly improving our ability to keep unwanted and malicious content from our users.”
However, Beau Bullock and Michael Felch, the security researchers from Black Hills who first disclosed the problem in the “Google Calendar Event Injection with MailSniper” report published November 1, 2017, refer to this as an “event injection vulnerability.” The researchers showed, for example, how it was possible to circumvent the “No, only show invitations to which I have responded” calendar setting by changing the target’s response status to “Accepted” using the Google API.
One thing I hope we can all agree on, is the fact that this goes beyond the realm of just “spam” and crosses into pure security issue territory. Threat actors can use this method to send invites with malicious intent, leveraging the trust that a calendar invite brings to the party as opposed to an unsolicited email. Users are becoming increasingly aware of the need to be suspicious of links in unsolicited emails, the same cannot be said of calendar invites.