Exploiting Google Calendars

Summary

Calendars help us manage our everyday life into a more organized patterns. From work to school, we all had or have use calendars but what happens when our calendar is public and is inviting attackers to access sensitive company information? That is exactly what I decided to look into for my research when doing a workshop on reconnaissance at Offensive Security Society, CSUF and found that many companies have this common security issue. With this research, I was able to get access to multiple sensitive information. A quick run down of some information disclosure are as follows:

  • Internal meetings: Most companies use video calls for remote meetings. One of the popular program for this is Zoom. Compared to Google Hangouts, Zoom in most cases allows attending meeting as long as you have the correct meeting id.
  • Exposed documents on project and meeting plans : Some employees had publicly accessible Google docs and presentation that are usually hard to find by an external attacker. However, because they were hyperlinked in meetings and calendar objectives, I was able to access it and view internal information. These information included meeting agendas, new product features, etc.
  • Internal livestreams: Most companies have weekly and/or quarterly meetings and other internal livestreams. Most of these livestreams were password protected but all passwords were also embedded in calendar invites sent to employees.

Technical Description

Starting the attack

For the initial research, I started out with gathering emails of my target. If you know me well, you will be able to guess who my first target was (spoiler: it was Uber). I have worked with Uber's team in the past during similar research so I was excited to see if I could find something for this research too. For recon, I used hunter.io to get list of uber.com emails. You can do it by two ways: using their API or through the UI. For this blog, I will show it from the UI side:

If you read the UI image you will notice there are about 793 Uber emails queried by Hunter.io. Not all of these emails exist because it could be emails of previous employees and features. Nonetheless, I afterwards used the Hunter.io API to get all these emails and pass them into a scraper. Then the attack phase started.

Attack Phase

Once I had parsed the result of the API, I decided to investigate to see if I can automate identifying if calendars were public. For this, I started looking at how google calendar worked. In google calendar, you can embed/share your calendar. The link to do so looks like this: https://calendar.google.com/calendar/htmlembed?src=EMAIL@DOMAIN.COM&ctz=American/Los_Angeles.

Google Calendar also follows a specific response format when embedded. For example, if the calendar is private or if it does not exist, it will return a 500 internal error. But if the calendar is public, it will return a 200 status code.

Once I had this information, I wrote a script to take a txt file and iterated through the emails. Pretty soon after that, I found at least one email that had the calendar public.

How to fix this issue?

If you are a company and are worried how to fix this issue, there are multiple ways you can resolve this:

  • If you use GSuite, as a GSuite admin, you can set rules and monitor when Google Calendars are set to public.
  • If your employees really want public calendars, then you can set the calendar to publicly show as Free/Busy:
  • Provide security awareness training to employees.
  • Monitor calendars weekly/daily. In order to so, you can export the list of all emails used in the organization and scan it to see if any of them have public calendars.

Analysis

Based on this, we targeted 10 companies and out of those, 4 of them had employees that were vulnerable to this attack:

  • Uber
  • Shopify
  • ███████████ (Permission not yet given)
  • Netflix

Written by Rojan Rijal (@uraniumhacker) and Brandon Nguyen (@cmdrsnuggle)