No announcement yet.

Great Google-ly Moogly - Google finally starts development on patch for 1.5 billion users


  • Great Google-ly Moogly - Google finally starts development on patch for 1.5 billion users

    Forbes (quote source)


    A vulnerability/feature, discovered in 2017, allowing easy social engineering of Gmail and Google Calendar users is now being patched.




    Back in 2017, two researchers at Black Hills Information Security disclosed how a vulnerability in the Google Calendar app was leaving more than a billion users open to...credential-stealing. Google apparently didn't fix this at the time as it would have caused "major functionality drawbacks"..., despite those researchers demonstrating how they had weaponized the vulnerability at the Wild West Hackin' Fest. A sophisticated scam which leverages misplaced trust through the use of malicious and unsolicited Google Calendar notifications. Google Calendar allows anyone to schedule a meeting with you, and Gmail is built to integrate tightly with this calendaring functionality. The threat actor can use this non-traditional attack vector to bypass the increasing amount of awareness amongst average users when it comes to the danger of clicking unsolicited links. When a calendar invitation is sent to a user, a pop-up notification appears on their smartphone. The threat actors craft their messages to include a malicious link, leveraging the trust that user familiarity with calendar notifications brings with it. "Beyond phishing, this attack opens up the doors for a whole host of social engineering attacks,"  To gain access to a building, for example, an attacker could use a calendar invite for an interview or a building maintenance appointment which, he warned, "could allow physical access to secure areas." Now, it would appear, Google is finally taking this threat methodology somewhat more seriously. In a posting to the Google Calendar Help Community forum, Lesley Pace, a Google Employee, states that "We're aware of the spam occurring in Calendar and are working diligently to resolve this issue. We'll post updates to this thread as they become available." Although I am sad that Google is still referring to this as a spam issue, rather than explicitly a security one.


    My Thoughts:

    I'm glad to see Google finally fixing this. It is an attack surface a user is less likely to be wary of. They probably get calendar invites every day if their company is using G Suite, so why NOT trust the new invitation or activity that appeared on your calendar? Going after people is the best way to get into anything as we truly are the weakest link of any security system.

      Posting comments is disabled.



    Article Tags


    Latest Articles