Did you know, since 2017, Google Calendar has suffered under the weight of a fairly significant malicious invite issue? That’s right. Nearly a billion users have been open to having their Google credentials stolen by a simple maliciously-crafted calendar invitation.
To make matters worse, Google opted to not fix the issue as it would cause a loss of functionality. To this date, the issue has yet to be resolved–though Google is working on it. Google’s response to reports of the vulnerability was to say, “Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse.”
Yeah, that’s helpful. To prevent the spread of malicious phishing attacks, Google simply says it’s prohibited to do such things.
SEE: Windows 10 security: A guide for business leaders (TechRepublic Premium)
I have cats. I tell my cats it’s against the terms of service in the household to claw the furniture. But cats are gonna cat, no matter how many times I show them the EULA.
You see where I’m going with this.
No matter how many times you tell malicious actors to not spread their special flavor of malice, they continue.
How the vulnerability works
The vulnerability in question works like this:
- The malicious actor sends you a phishing attack in the form of a calendar invitation.
- You assume it’s a valid invitation.
- The malicious invitation includes a link.
- You tap (or click) on the link, assuming it will accept the calendar invitation.
- The event is added to your calendar.
- You click on a malicious link in the event.
- Bad things ensue.
How do you prevent this?
The first thing you should do is never accept these types of invites. Why? You’re only asking for trouble when you do. However, sometimes these invites are pretty convincing they’re from a legit source. How do you stop this from happening? From within Google Calendar you can configure the app such that this kind of spam isn’t allowed access.
The first part of the process, prevents Google from automatically adding invitations sent to you. Take care of this with the following steps:
- Log into your Google Calendar.
- Click the gear icon and click Settings from the drop-down.
- Click Event Settings from the left navigation.
- Locate and click the Automatically Add Invites drop-down (Figure A).
- Select No, Only Show Invitations To Which I Have Responded.
The second step stops all events in Gmail from winding up in your calendar. This is done with the following process:
- In the left navigation, click Events From Gmail.
- Locate and uncheck the option for Automatically Add Events From Gmail To My Calendar (Figure B).
- OK the warning.
The final process is to prevent declined events from showing up in your calendar. This is done by clicking View Options in the left navigation and unchecking the box for Show Declined Events (Figure C).
Not 100% secure
Even with this process taken care of, you’re not 100% secure. Until Google addresses the issue, it is still on the user to not accept any suspicious looking Google calendar invite. When you do accept invites from unknown users, you risk falling victim to phishing attacks. Said attacks could lead to your Google account credentials being stolen, which could then lead to the theft of personal or company information.
The moral of this story? Do not accept suspicious invites and configure your account to not allow such things to fill your Calendar with events that contain malicious links. Period. End of story.