A vulnerability in the Google Calendar app was discovered back in 2017 that revealed over a billion users could be at risk for having their credentials stolen. However, nothing was done about it because Google claimed that this would have caused “major functionality drawbacks” at the time.
Flash forward to 2019, and Google has finally confirmed the security issue and is working to fix it.
The vulnerability occurs in Google Calendar when someone sends a calendar invitation to a user. The app allows anyone to schedule a meeting with you and will then send a notification to your phone. The scams happen when malicious users send send unsolicited Google Calendar invitations and the user accepts them. They often include a link, which users trust and then click on, causing their accounts to be
Originally, Google tried to categorize these attacks as “spam” but Javvad Malik, security awareness advocate at KnowBe4, says otherwise: “Beyond phishing, this attack opens up the doors for a whole host of social engineering attacks. [They] could allow physical access to secure areas."
Now, Google is taking responsibility for the vulnerability and treating it more seriously. Lesley Pace, a Google Employee, said in a Google Calendar Help Community Forum "We're aware of the spam occurring in Calendar and are working diligently to resolve this issue. We'll post updates to this thread as they become available."
An article was posted in the forum as well, "learn how to report and remove spam," which is a worthwhile read as it offers advice for Google Calendar users concerned about these attacks.
Further Reading: https://www.forbes.com/sites/daveywinder/2019/09/09/google-finally-confirms-security-problem-for-15-billion-gmail-and-calendar-users/#ccc7e4d279fa
Stay Safe Out There!
The PJ Networks Team
