What You Should Know About the Gmail and Google Calendar Security Issue

With an estimated 1.5 billion users, Google’s Gmail service is so widely used that any security vulnerability can have far-reaching consequences. As Forbes contributor Davey Winder points out, it can also lead to a kind of inertia when a flaw is discovered, as Google might not want to disrupt the app or take it down for extended periods. Now, Google seems prepared to address a longstanding issue with its Calendar feature that dates back to 2017.

Google Calendar, which is accessible via Gmail, notifies users of scheduled appointments that are either manually inserted or created from an email invitation. The flaw, Winder explains, is in Calendar allowing anyone to schedule a meeting with a user without email notification and Gmail allowing those events to be automatically added to Calendar. Because Gmail users assume the invites must be legitimate, they might click on a pop-up notification about a fraudulent event, or a link within a fraudulent event, that leads to a malicious attack site. In extreme cases, the links can lead to portals where bank or credit card information is solicited.

In an example used by Black Hills Information Security, which discovered the flaw, a Calendar user might receive a notice about an “all-hands” meeting starting in a few minutes along with a link to information that will be discussed at the meeting. Feeling a sense of urgency, a user may not examine the reminder too closely, click the link, and be transferred to a site with malicious software.

Though the vulnerability has been known and publicized for years, Google is only recently taking steps to address it, announcing via a help forum post that they’re working to resolve the issue.

Until then, it’s best for users to be more diligent when it comes to interacting with the Calendar function. Under the Settings > Event Configuration settings, “Automatically add invitations” should be disabled; the option for showing invitations users have responded to should be enabled. It’s also advisable never to follow any link from a Calendar email from an address or entity you don’t recognize.

[h/t Forbes]