Misconfigured Google Calendars leaking private information of thousands of users

Security researcher claims to have found more than 200 calendars leaking information that should be private

A configuration setting in Google's Calendar service may be exposing the private information of thousands of users on the internet, a security researcher has warned.

Avanish Jain, a cyber security expert from India, says he recently discovered that anyone using advanced search parameters on Google can get details about meetings, event names, interviews, meeting links, zoom meeting links, email ids, locations, and lots of other details related to large number of companies and people using Google calendar service.

Jain said he found more than 200 calendars leaking information that should actually remain private, but was indexed by Google.

The issue here is not a security vulnerability in the Google Calendar, notes Jain. Rather, it is an issue related to a configuration setting that comes as a part of the standard functionality of Google Calendar, helping users to collaborate with other people by making a Calendar public. Using this setting, people can share event reminders and organise meet-ups with other users.

Jain currently works at Indian ecommerce firm Grofers, and has previously discovered a large number of security vulnerabilities and privacy issues in platforms run by Google, NASA, Yahoo and Jira.

He claims that once a Google calendar is shared with the public, other users can view it on a website or sync it with other applications.

Google does display a warning about the setting: "Making your calendar public will make all events visible to the world, including by way of Google search. Are you sure?"

However, many users ignore the warning, even people working in some large companies appear to ignore the notification, thereby disclosing their sensitive details to the world.

According to Jain, a major issue here is that many users intend to make their calendar public only for a number of specific people, and share the URL with them. But, the link is eventually indexed by Google and becomes searchable via Google search.

In one instance, calendar settings enable other users (for example employees of a company) to add events to it, the mistake could lead to confidential information of the company being leaked on internet.

Google stresses that Calendar sharing is private by default for G Suite and consumer Calendar users.

"A G Suite user cannot exceed the level of event details allowed by their admin for external sharing," said Google spokesperson.

"Calendar sharing is also private by default for all consumer accounts. A consumer user can only share by changing this setting, in which they are notified of how their calendar will become visible to the public," the spokesperson added.