Google Has Put Over a Billion Users on Risk of Hacking

The flaw in Google Calendar came up back in 2017, when researchers from a private security firm revealed that over a billion users are not safe from hackers. Since then Google has still not taken any action to prevent hackers from breaching anyone’s privacy.

Hackers are sending phishing links to users via Google Calendar in Gmail. They take advantage of the new feature which allows one to send invites automatically to the users’ Gmail inbox directly, and notifies them. When users click on these unknown links they are actually giving hackers access to their personal information.

Earlier this month Google announced to fix malicious invites anonymously sent. Avinash Jain, a security researcher from India contacted Davey Winder (Forbes’ reporter), who worked to resolve this issue, and to ensure it stops. He told reporters that though he has been able to find loopholes, which means they can be resolved, however, there are bigger flows of information which still provides hackers a gateway to send such invitations. This has been reported in Forbes.

The flaw pointed out by Avinash is not in the codes but it is a mis-configuration matter combined with poor user visibility. For G Suite admins mitigation options are present, but they are not enabled by default.

In their reply to Winder, Google said,

“Google’s Terms of Service and Product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse. Google offers security protections for users by warning them of known malicious URLs via Google Chrome’s Safe Browsing filters.”

Google thanked the consumers for their patience and assured that it will be reduced soon,

“We’re aware of the spam occurring in Calendar and are working diligently to resolve this issue. We’ll post updates to this thread as they become available. Learn how to report and remove spam. Thank you for your patience.”

The problem occurs when a user share calendar event publicly, those events can easily be found by searching on Google. Jake Moore, cyber-security specialist at ESET, says that “if companies choose to use Google for their business calendar events, those firms must consider providing adequate training to make sure their employees understand the risks around keeping their company data secure.”