My wife likes to set reminders for herself in Google Calendar.
Recently, she added a note to her personal Google Calendar reading "Email email@example.com to discuss pay rise" and set the date for a few months from now. She'd had a discussion with her boss, Alice, and they'd agreed to talk about salary later in the year.
A few moments later, Alice sent her a "Meeting Accepted" email.
Although pretty embarrassing, it could have been a lot worse. It could have been "Email firstname.lastname@example.org with excuse why we can't see her" or perhaps "Email email@example.com with divorce details" or even "Email firstname.lastname@example.org to demand red stapler back" or... well, you get the picture.
Luckily, my wife doesn't have a Google+ profile, so there was no information leak other than her email address (which wasn't "huggle.wuggle.2012" or anything daft like that!)
We've tried several times to recreate this behaviour. Here's what we discovered:
- If you use Google Calendar on the web and put a Gmail address in the subject line, that user will have the event added to the calendar.
- They will not receive an email notification - although they will get a "meeting reminder" pop-up.
- Creating an event on an Android phone does not trigger a meeting request.
- Some non-Gmail addresses will also see the meeting in their calendar - but others will not.
- When you delete a calendar item, the "Cancellation" notification is emailed regardless of whether the user received the original invite.
We were unable to determine which non-Gmail addresses would receive the item in their calendar. Some which were hosted with Google didn't receive the pseudo-invitation. Some accounts hosted on Microsoft Exchange got the invite while others on seemingly similar systems didn't.
Here's a video showing it in action.
Note that when a user fills in the pop-up, Google Calendar asks for confirmation to send a meeting invite. When using the full interface, no warning whatsoever is given.
Google has tried to be clever here. It has failed. Just because I am talking about someone, it doesn't mean I am talking to someone.
There are two main risks here - the user could expose her private Gmail account and associated Google+ data, and she could also reveal her private thoughts and feelings.
Google really needs to work harder at protecting the privacy of its users.
This privacy issue was formally disclosed to Google on 6th January 2014.
On 22nd January, they responded by saying they didn't consider it a problem.
We reviewed your report. After careful consideration by our security team, we feel that the issue has minimal impact on the security of our users. Let us know if you believe that this determination may be incorrect. If you'd submitted your report as part of our reward program, this means it doesn't qualify for reward or credit. Thanks for your help!
As much as I'm disappointed not to be getting a $10,000 bug bounty, I'm more upset that Google repeatedly finds itself failing to keep its users' private information private.
: Google have agreed to fix this bug!
[W]e agree that the behavior you identified is undesirable, and we filed a bug with the Calendar team last week. They’ve been working on changing the behavior to make it clearer that someone has been added to the event in the situation you described.
While we won't be getting any of the monetary reward from the bug bounty, Google have graciously decided to include us in their Security Hall of Fame.
: This flaw was discussed on the "This Week In Google" podcast.