Google has confirmed that a vulnerability could have left 1.5 billion Google Calendar and Gmail users exposed to a dangerous form of phishing attack.
As Forbes reports, the problem was a result of the close linking between the two services, which allows calendar invitations to be sent by email – even by people you don’t know, and have never spoken to before – and added to your calendar automatically.
If the vulnerability was exploited, it would be possible for a criminal to send a convincing fake calendar invitation to a victim, which they would be likely to click without thinking twice.
These scam invitations could include a malicious link that could not only be used to steal login credentials (like a standard phishing attack), but also to provide other sensitive information, such as how to gain access to a building where the ‘meeting’ is due to take place.
Don’t get caught out
The vulnerability was first exposed in 2017 by security researchers Beau Bullock and Michael Felch of Black Hills Information Security.
This week, Google employee Lesley Pace published a post acknowledging the problem. “We’re aware of the spam occurring in Calendar and are working diligently to resolve this issue,” said Pace. “We’ll post updates to this thread as they become available.”
In the meantime, if you’re concerned Black Hills Information Security has published an extensive guide that you can follow to secure your Gmail and Google Calendar apps from potential attack. As always, though, the most important thing is to always treat unsolicited emails with caution, and not click any links to events that you aren’t expecting.
Also Publish AT: http://www.techradar.com/news/google-admits-gmail-and-google-calendar-users-could-have-been-scammed-by-fake-event-notifications