Another Google Privacy Flaw - Calendar Unexpectedly Leaks Private Information (Disclosed)


My wife likes to set reminders for herself in Google Calendar.

Email Pay Rise-fs8
Recently, she added a note to her personal Google Calendar reading "Email alice@example.com to discuss pay rise" and set the date for a few months from now. She'd had a discussion with her boss, Alice, and they'd agreed to talk about salary later in the year.

A few moments later, Alice sent her a "Meeting Accepted" email.

What... The...?

Although pretty embarrassing, it could have been a lot worse. It could have been "Email mother-in-law@example.com with excuse why we can't see her" or perhaps "Email husband@example.com with divorce details" or even "Email co-worker@example.com to demand red stapler back" or... well, you get the picture.

Luckily, my wife doesn't have a Google+ profile, so there was no information leak other than her email address (which wasn't "huggle.wuggle.2012" or anything daft like that!)

We've tried several times to recreate this behaviour. Here's what we discovered:

  • If you use Google Calendar on the web and put a Gmail address in the subject line, that user will have the event added to the calendar.
  • They will not receive an email notification - although they will get a "meeting reminder" pop-up.
  • Creating an event on an Android phone does not trigger a meeting request.
  • Some non-Gmail addresses will also see the meeting in their calendar - but others will not.
  • When you delete a calendar item, the "Cancellation" notification is emailed regardless of whether the user received the original invite.

Delete-fs8
We were unable to determine which non-Gmail addresses would receive the item in their calendar. Some which were hosted with Google didn't receive the pseudo-invitation. Some accounts hosted on Microsoft Exchange got the invite while others on seemingly similar systems didn't.

Here's a video showing it in action.

Note that when a user fills in the pop-up, Google Calendar asks for confirmation to send a meeting invite. When using the full interface, no warning whatsoever is given.

Impact

Google has tried to be clever here. It has failed. Just because I am talking about someone, it doesn't mean I am talking to someone.

There are two main risks here - the user could expose her private Gmail account and associated Google+ data, and she could also reveal her private thoughts and feelings.

Google really needs to work harder at protecting the privacy of its users.

Disclosure

This privacy issue was formally disclosed to Google on 6th January 2014.
On 22nd January, they responded by saying they didn't consider it a problem.

We reviewed your report. After careful consideration by our security team, we feel that the issue has minimal impact on the security of our users. Let us know if you believe that this determination may be incorrect. If you'd submitted your report as part of our reward program, this means it doesn't qualify for reward or credit. Thanks for your help!

As much as I'm disappointed not to be getting a $10,000 bug bounty, I'm more upset that Google repeatedly finds itself failing to keep its users' private information private.

Update: according to a comment on the HackerNews discussion - problems like this have been reported to Google as far back as 2010.

Update 24 January: Google have agreed to fix this bug!

[W]e agree that the behavior you identified is undesirable, and we filed a bug with the Calendar team last week. They’ve been working on changing the behavior to make it clearer that someone has been added to the event in the situation you described.

While we won't be getting any of the monetary reward from the bug bounty, Google have graciously decided to include us in their Security Hall of Fame.

You can continue the discussion on The Verge, ars technica, Business Insider and Android Central.

Update 31 January: This flaw was discussed on the "This Week In Google" podcast.


Share this post on…

8 thoughts on “Another Google Privacy Flaw - Calendar Unexpectedly Leaks Private Information (Disclosed)”

  1. Thanks for the share. It makes me wonder what other unknown ways Google might try to help me out/screw me over. It's too bad, I usually like the Google way. This might be acceptable if there was notification (Do you want to invite soandso@example.com to this event?), but otherwise I agree this is an easy way to cause some unintended awkwardness.

    Reply
  2. says:

    One annoying thing about this is that it enabled spammers to add rubbish to your calendar.

    Reply
  3. Nonconformistradical says:

    "I'm more upset that Google repeatedly finds itself failing to keep its users' private information private."
    If you will put your private information in the hands of such organisations - whose only interest is in making money out of you - what else do you expect?

    Reply
  4. Your video shows it's user error on your behalf: you chose not to send the email invite by pressing the Do Not Send button, but the user is still invited as you have specifically added them to the appointment by their email address. If you had used the Continue Editing button, or the close X at the top right you would see they are guests added to the event. The big pop-up asking you if you want to send an invite is telling you they are added - I'm not sure how you would interpret that any other way.

    Reply
  5. Thanks for that Kevin: I didn't try to replicate this scenario I was using Quick Add and just adding the email address from the popup. I will pass this on to the Google Calendar Team

    Reply

Trackbacks and Pingbacks

What links here from around this blog?

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">