Back To Schedule
Thursday, October 24 • 2:00pm - 2:50pm
Digging Deeper into the Google Calendar Attack Surface

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
“One Billion Google Calendar Users Exposed to Fake Invite Scam” - Forbes Inc
“Beware phishing scams posing as Google Calendar notifications” - Tech Radar
“Google Calendar spam is on the rise” - CBS News
But really just how bad is it? On one side of the equation it seems everyone has been getting either spammed or phished leading to account compromises and being woken up at 2am because of the new iPhone they just won from some sketchy site they never been to. On the other side of the equation service providers publicly acknowledge calendar events have issues but not as a technical security problem. This lack of seriousness on behalf of service providers has led to neglecting the fundamental issues because of the impact it could have on their users experience.
To demonstrate just how bad the problem really is, we’ve pulled back the cover on this mostly untapped attack surface by digging into the core calendar specification dating back to 1995. We have analyzed the original format components by digging into the specification, researched the attack surfaces affecting high-level implementations by Google, and finally identified new vulnerabilities which we will demonstrate.
We will provide a quick recap of existing calendar problems to date, discuss fundamental design flaws in the calendar specification, and demonstrate new vulnerabilities that can be exploited using calendar events. This presentation has just enough technical details to intrigue security researchers while providing a very clear warning for anyone who uses calendars.

Thursday October 24, 2019 2:00pm - 2:50pm MDT
Track 2