Skip to main content

WARNING — Google Calendar Vulnerability Affects 1.5 Billion Users

WARNING — Google Calendar Vulnerability Affects 1.5 Billion Users

There are 1.5 billion people in 143 countries use Google's Gmail and Calendar apps, which are provided to anyone who signs up for a Google account. And now, they're all at risk because of new Google Calendar fake invite scam.

The vulnerability in Google Calendar allows hackers to take advantage of a default setting that automatically adds invitations (which spread malicious links) to a person's Calendar when they are sent via email.

Unrequested invites then appear as a notification trough then Google Calendar app which if clicked on can lead users to a legitimate looking page requesting the user's personal and financial details.

The fake invite scam was first discovered by two cybersecurity researchers at Black Hills Information Security in 2017 but Google is addressing the issue now. They informed and demonstrated how they exploited the vulnerability in gaining access to the user's credentials and also describing how security controls designed to prevent such attacks could be easily bypassed. Google apparently didn't fix this at the time.

The researchers noted that this was a particularly useful feature for hackers, as users have grown tired of receiving spam and malicious links in emails. Receiving an official notification through Google Calendar is less likely to produce suspicion.

Possibly the most interesting element of the Google Calendar is that it can create a sense of urgency simply by alerting a user about those invitations or events. Links within those invitations or events will then take victims to a fake Google authentication page that captures their credentials.

Nowadays, In the digital era, Data can be considered as currency itself. It can be sold on for profit in the underground used to compromise online accounts, and in the worst cases, can be utilized for identity theft or making fraudulent purchases.

Google Confirms The Calendar App Security Problem

Finally, Google is talking about this threat more seriously. In a posting to the Google Calendar Help Community forum, Lesley Pace, A Google Employee, states that "We're aware of the spam occurring in Calendar and we are also working diligently to resolve this issue. We'll post updates on this issue as they become available. Thank you for your patience."

    WARNING — Google Calendar Vulnerability Affects 1.5 Billion Users          WARNING — Google Calendar Vulnerability Affects 1.5 Billion Users

How Does Google Calendar Fake Invite Scam Works?

Google Calendar allowing anyone to schedule a meeting with a user without email notification. Gmail is built to integrate with Calendar functionality because of that Gmail allowing those events to be automatically added to Calendar. Hence, Google Calendar users assume that invites must be legitimate so they might click on a pop-up notification about a fraudulent event, or a link within a fraudulent event, that redirects to a malicious attack site. In most cases, the links can lead to portals, fake online polls or questionnaires where bank account or credit card details can be collected.

Let's see an example. Google Calendar users might receive a notification about an all-hands meeting starting in a few minutes along with a link to information that will be discussed at the meeting. Feeling a sense of urgency, a user may not examine the reminder too closely, click the link, and be redirected to a malicious attack site.

How To Protect Yourself From Google Calendar Fake Invite Scam?

First of all, turn off the feature that automatically adds Gmail invitations to your Google Calendar. That will immediately stop hackers from being able to target you.

Step 1. In your web Calendar app, click on the gear icon on the top right corner of the page and select "Settings".
WARNING — Google Calendar Vulnerability Affects 1.5 Billion Users

Step 2. In the left menu listing, click on "Event settings".
WARNING — Google Calendar Vulnerability Affects 1.5 Billion Users

Step 3. in Event settings, change the "Automatically add invitations" option to "No, only show invitations to which I have responded" from the drop-down menu.
WARNING — Google Calendar Vulnerability Affects 1.5 Billion Users

Step 4. After that, on the left-hand menu listing, click on "Events from Gmail".
WARNING — Google Calendar Vulnerability Affects 1.5 Billion Users

Step 5. In that, Uncheck "Automatically add events from Gmail to my calendar".
WARNING — Google Calendar Vulnerability Affects 1.5 Billion Users

Step 6. After unchecking it, You'all get a warning that "You'll no longer see events automatically added from your email. Previously added events from Gmail will be removed". Click on OK.
WARNING — Google Calendar Vulnerability Affects 1.5 Billion Users

After doing these changes, any invitation will add to your Calendar only after you accept the invitation.

So, Google Calendar fake invite scam is easy to avoid, thanks to Google's settings.

It's also advisable never click any link from a Calendar if it comes from an unknown email address or unknown party you don't recognize.

Be sure that never share your personal information in a site unless you know what it is and you can verify it's real. Although you can't always be 100% sure, so your best to stay away from entering sensitive data into malicious sites.

If you are not sure that a site is safe or not, then look for the little icon of a lock next to the web address that lets you know if a site is most likely secure or not.

If you want to learn more about how to check if a link is safe to click or not then Click here.

If you are a user of Calendar service from Apple or Microsoft, then there are similar issues that need resolving.

I hope you find useful information in this article. If you have any questions then please mention in the comments section and I will get back to you and stay tuned with my blog to learn interesting things related to cybersecurity and hacking.


Popular posts from this blog

How To Check If a Link Is Safe To Click

Many times, we share links among our friends on social media platforms like WhatsApp, Facebook, Instagram or Twitter. But do we know how safe they are? What can happen if you click on any malicious link? We never think of the following things : Links can drop various harmful programs, viruses on your device Links can steal your personal data by dropping spyware or keyloggers Use your browser for crypto mining which will affect your device's performance Even if your device is secured with antivirus, not all of them warn you before clicking such malicious links . And the moment you click on these, they will become big trouble for you. This can sometimes even be dangerous with regard to data security and identity theft. So, Be careful about what you click on. These days one of the quickest growing security issues is ransomware , which is often spread by the user unintentionally clicking dangerous links in emails, social media platforms, messengers, and other tool

How To Enable WhatsApp Fingerprint Lock Feature on Android

WhatsApp has officially rolled out the fingerprint lock feature for all the Android users. Most of you may already have been doing it for the last few years with the help of third-party app lockers for adding more security. Keeping that in mind and to make the process quicker and safer at the same time, WhatsApp has now launched this new fingerprint lock feature so that you can open the app by your fingerprint. It means that regardless of whether the phone is opened, others won't have the option to gain access to the messages without your fingerprint. So, you can now secure your WhatsApp conversations with an extra layer of biometric security . With this step, WhatsApp is finally offering biometric authentication to the Android app, while iPhone users enjoying both the Touch ID that is the fingerprint recognition and Face ID that is the facial recognition since the month of February 2019. WhatsApp is also giving more options with the new fingerprint lock featur

TikTok Secretly Sent Users Private Data & PII Number to Chinese Server Including Draft Videos

The popular Android and iOS short-videos creating app, TikTok hit with a lawsuit claims that the app illegally and secretly transfers app's users' private sensitive data and Personally Identifiable Information (PII) to Chinese servers. TikTok which is a 15-second short-video creating app especially popular among the younger generation and also downloaded over 1.3 Billion times worldwide . TikTok remains top in the most downloaded app list for months on the Apple App Store and Google Play Store.  According to the lawsuit, Tiktok shared the user's created videos which include private acts and closeups of user's faces (biometric data) before the videos are saved on the app. TikTok provides many options includes the next button, close button, and button for effects to its users while recording the video. Here, the next button takes users to the screen that shows these two options : "post" and "save".  After clicking on the "next" button, Tik