“One Billion Google Calendar Users Exposed to Fake Invite Scam” - Forbes Inc “Beware phishing scams posing as Google Calendar notifications” - Tech Radar “Google Calendar spam is on the rise” - CBS News But really just how bad is it? On one side of the equation it seems everyone has been getting either spammed or phished leading to account compromises and being woken up at 2am because of the new iPhone they just won from some sketchy site they never been to. On the other side of the equation service providers publicly acknowledge calendar events have issues but not as a technical security problem. This lack of seriousness on behalf of service providers has led to neglecting the fundamental issues because of the impact it could have on their users experience. To demonstrate just how bad the problem really is, we’ve pulled back the cover on this mostly untapped attack surface by digging into the core calendar specification dating back to 1995. We have analyzed the original format components by digging into the specification, researched the attack surfaces affecting high-level implementations by Google, and finally identified new vulnerabilities which we will demonstrate. We will provide a quick recap of existing calendar problems to date, discuss fundamental design flaws in the calendar specification, and demonstrate new vulnerabilities that can be exploited using calendar events. This presentation has just enough technical details to intrigue security researchers while providing a very clear warning for anyone who uses calendars.
