An Indian cybersecurity expert, Avinash Jain, recently discovered that Google’s calendar service may be exposing sensitive data of users online.
According to his findings, thousands of Google Calendars were found to be exposing private data and more than 8000 calendars were indexed in Google’s search engine which means anyone can access it randomly.
The issue isn’t exactly security vulnerability per se because Google configured it as such for better collaboration between users to share event reminders and organize better.
The problem is that sensitive information such as presentation links, employee email, addresses about various organizations are exposed and a single mistake from any employee could result in organizational data getting public.
Google lists all publicly shared calendars and grants access to anyone who makes an advanced search query which means that sensitive data is in their hands. Also, it worsens as Google doesn’t notify about any activity in the Google Calendar even if a third-party accesses it and adds an event.
To protect data from unwanted actors, users can make sure that they’re not unknowingly making the data public. It is also possible for the users to create an alert manually if their calendar is made public without their knowledge.