Skip to main content

WARNING — Google Calendar Vulnerability Affects 1.5 Billion Users

WARNING — Google Calendar Vulnerability Affects 1.5 Billion Users

There are 1.5 billion people in 143 countries use Google's Gmail and Calendar apps, which are provided to anyone who signs up for a Google account. And now, they're all at risk because of new Google Calendar fake invite scam.

The vulnerability in Google Calendar allows hackers to take advantage of a default setting that automatically adds invitations (which spread malicious links) to a person's Calendar when they are sent via email.

Unrequested invites then appear as a notification trough then Google Calendar app which if clicked on can lead users to a legitimate looking page requesting the user's personal and financial details.

The fake invite scam was first discovered by two cybersecurity researchers at Black Hills Information Security in 2017 but Google is addressing the issue now. They informed and demonstrated how they exploited the vulnerability in gaining access to the user's credentials and also describing how security controls designed to prevent such attacks could be easily bypassed. Google apparently didn't fix this at the time.

The researchers noted that this was a particularly useful feature for hackers, as users have grown tired of receiving spam and malicious links in emails. Receiving an official notification through Google Calendar is less likely to produce suspicion.

Possibly the most interesting element of the Google Calendar is that it can create a sense of urgency simply by alerting a user about those invitations or events. Links within those invitations or events will then take victims to a fake Google authentication page that captures their credentials.

Nowadays, In the digital era, Data can be considered as currency itself. It can be sold on for profit in the underground used to compromise online accounts, and in the worst cases, can be utilized for identity theft or making fraudulent purchases.

Google Confirms The Calendar App Security Problem

Finally, Google is talking about this threat more seriously. In a posting to the Google Calendar Help Community forum, Lesley Pace, A Google Employee, states that "We're aware of the spam occurring in Calendar and we are also working diligently to resolve this issue. We'll post updates on this issue as they become available. Thank you for your patience."

    WARNING — Google Calendar Vulnerability Affects 1.5 Billion Users          WARNING — Google Calendar Vulnerability Affects 1.5 Billion Users

How Does Google Calendar Fake Invite Scam Works?

Google Calendar allowing anyone to schedule a meeting with a user without email notification. Gmail is built to integrate with Calendar functionality because of that Gmail allowing those events to be automatically added to Calendar. Hence, Google Calendar users assume that invites must be legitimate so they might click on a pop-up notification about a fraudulent event, or a link within a fraudulent event, that redirects to a malicious attack site. In most cases, the links can lead to portals, fake online polls or questionnaires where bank account or credit card details can be collected.

Let's see an example. Google Calendar users might receive a notification about an all-hands meeting starting in a few minutes along with a link to information that will be discussed at the meeting. Feeling a sense of urgency, a user may not examine the reminder too closely, click the link, and be redirected to a malicious attack site.

How To Protect Yourself From Google Calendar Fake Invite Scam?

First of all, turn off the feature that automatically adds Gmail invitations to your Google Calendar. That will immediately stop hackers from being able to target you.

Step 1. In your web Calendar app, click on the gear icon on the top right corner of the page and select "Settings".
WARNING — Google Calendar Vulnerability Affects 1.5 Billion Users

Step 2. In the left menu listing, click on "Event settings".
WARNING — Google Calendar Vulnerability Affects 1.5 Billion Users

Step 3. in Event settings, change the "Automatically add invitations" option to "No, only show invitations to which I have responded" from the drop-down menu.
WARNING — Google Calendar Vulnerability Affects 1.5 Billion Users

Step 4. After that, on the left-hand menu listing, click on "Events from Gmail".
WARNING — Google Calendar Vulnerability Affects 1.5 Billion Users

Step 5. In that, Uncheck "Automatically add events from Gmail to my calendar".
WARNING — Google Calendar Vulnerability Affects 1.5 Billion Users

Step 6. After unchecking it, You'all get a warning that "You'll no longer see events automatically added from your email. Previously added events from Gmail will be removed". Click on OK.
WARNING — Google Calendar Vulnerability Affects 1.5 Billion Users

After doing these changes, any invitation will add to your Calendar only after you accept the invitation.

So, Google Calendar fake invite scam is easy to avoid, thanks to Google's settings.

It's also advisable never click any link from a Calendar if it comes from an unknown email address or unknown party you don't recognize.

Be sure that never share your personal information in a site unless you know what it is and you can verify it's real. Although you can't always be 100% sure, so your best to stay away from entering sensitive data into malicious sites.

If you are not sure that a site is safe or not, then look for the little icon of a lock next to the web address that lets you know if a site is most likely secure or not.

If you want to learn more about how to check if a link is safe to click or not then Click here.

If you are a user of Calendar service from Apple or Microsoft, then there are similar issues that need resolving.

I hope you find useful information in this article. If you have any questions then please mention in the comments section and I will get back to you and stay tuned with my blog to learn interesting things related to cybersecurity and hacking.

Comments

Popular posts from this blog

How To Check If a Link Is Safe To Click

Many times, we share links among our friends on social media platforms like WhatsApp, Facebook, Instagram or Twitter. But do we know how safe they are? What can happen if you click on any malicious link? We never think of the following things : Links can drop various harmful programs, viruses on your device Links can steal your personal data by dropping spyware or keyloggers Use your browser for crypto mining which will affect your device's performance Even if your device is secured with antivirus, not all of them warn you before clicking such malicious links . And the moment you click on these, they will become big trouble for you. This can sometimes even be dangerous with regard to data security and identity theft. So, Be careful about what you click on. These days one of the quickest growing security issues is ransomware , which is often spread by the user unintentionally clicking dangerous links in emails, social media platforms, messengers, and other tool

TikTok Secretly Sent Users Private Data & PII Number to Chinese Server Including Draft Videos

The popular Android and iOS short-videos creating app, TikTok hit with a lawsuit claims that the app illegally and secretly transfers app's users' private sensitive data and Personally Identifiable Information (PII) to Chinese servers. TikTok which is a 15-second short-video creating app especially popular among the younger generation and also downloaded over 1.3 Billion times worldwide . TikTok remains top in the most downloaded app list for months on the Apple App Store and Google Play Store.  According to the lawsuit, Tiktok shared the user's created videos which include private acts and closeups of user's faces (biometric data) before the videos are saved on the app. TikTok provides many options includes the next button, close button, and button for effects to its users while recording the video. Here, the next button takes users to the screen that shows these two options : "post" and "save".  After clicking on the "next" button, Tik

Facebook, Instagram and WhatsApp Down : Apps Crash For Users Worldwide Including In India

If you are facing problems with Facebook , Instagram , and WhatsApp on your device then you are not alone. Suddenly, the service of Facebook, Instagram, and WhatsApp's are facing technical problems since late evening on Wednesday. Users are facing these types of problems on Facebook :- While using Facebook, Users are facing problems in loading images, loading videos, and loading all other data across its apps while some users were unable to load photos on Facebook News Feed. On the Twitter platform, Facebook said that it is aware of the issue. Users are facing these types of problems on Instagram :- On Instagram (just like Facebook apps), the issues appear to be limited only to a certain part of the site. Many users report an issue to Instagram that their feed might not load, also it is not possible to post anything new (images, videos, stories) into it. If a user tries to post anything new (images, videos, stories) brings up an error indicat