A flaw in Gmail allows virtually anyone to send calendar requests to any user. This unpatched vulnerability puts almost 1.5 billion Gmail users at risk.
Privacy and security are front and center in the minds of consumers. A recent IBM poll shows that customers prefer privacy and security over convenience. People are willing to sacrifice ease of use for tighter security.
Gmail is one of the most popular mail clients in the world. With 1.5 billion users, it’s a global communications power house. Security flaws in widely used systems can cause catastrophic problems on a global scale. Fortunately, nothing major has happened, but the security flaw is currently known and exploitable.
Google Calendar operates seamlessly with Gmail. Part of this integrated functionality allows anyone to send Calendar requests to Gmail recipients. The design allows malicious actors to perpetrate phishing scams on unsuspecting users.
The attack begins by sending a calendar event to a victim. The event contains a link to a malicious website. Once on the site, users are fooled into entering credit card information, which is then stolen by the perpetrators.
Taken a step further, the vulnerability could provide physical access to buildings. For example, an attacker could spoof a Calendar event to open access to a building for maintenance. The flaw exposes Google users to a whole host of social engineering attacks.
It is strongly advised that Gmail users avoid following any links from unknown Calendar events. Rejecting Calendar events from unknown sources can also protect the end user. This is generally good advice, however, with proper security, users can’t be victimized through the Calendar app.
There’s no word as to when Google will fix this issue. For now, the Mountain View company is minimizing the defect, claiming it is a spam issue.
The impact of this security flaw is unknown. There are no widespread reports of cyber crime, however, with 1.5 billion customers vulnerable to a known flaw, it could have a devastating impact.