Internal Info Leak Via Google Calendar
Someone sent over an interesting issue that I hadn’t seen before. Due to the way people use Google’s calendaring function they are vulnerable to having corporate information leaked - including intranet addresses, dial-in information (including passcodes) as well as anything else they type in. Pretty scary actually as I think most of the people using this think their information is private somehow:
Inspired by http://johnny.ihackstuff.com/ghdb.php I decided to type “passcode intranet” on Google Calendar public search. one of the result is
http://www.google.com/calendar/events?state=mode%3Dweek,7%26date%3D20070415&q=passcode+intranet&ql=&qt=&qtd=&sa=N&page=vl&afp=8690e067387d3463*Internal Communication Weekly Meeting*
*Agenda:**
http://devcentral.intranet.mckinsey.com/products/PeopleSystems/internal-comDial In:
Moderator passcode: 2859485
Participant passcode: 874129Local - UK, London: +44 (0)20 7784 1013
Local - USA, New York: +1 718 354 1113*Openly telling ppl about passcode, intranet sites etc.
WoW!
Not so good. This is pretty much exactly the kind of recon necessary to start doing industrial espionage. Weekly meetings that discuss key internal information? Not looking good. Sometimes you see major leaks in the least likely places. In fact, if you search for some of these key words in other corporate acceptable social networking sites, I bet you’d find a lot of the same issues. Nice find!
April 17th, 2007 at 10:22 am
Actually, this used to be much worse — in the first months of Google Calendar, most events were listed in the search functions even if you were not allowed to see them. With the right search queries, you could spot password, PINs, phone numbers, doctors appointments, etc — you could even limit them to certain users (provided you knew their login names) if you wanted to check what they were doing (and you knew keywords to query with).
That part has thankfully been fixed for a long time. I was surprised that nobody made a big fuss about it back then, but perhaps only a few were curious enough to search for things they shouldn’t see :-). When I had time to report it to Google, it was already locked down much better.
April 17th, 2007 at 11:07 am
Combine that with a bit of social engineering and you’ve got yourself some insider tips.
April 17th, 2007 at 2:42 pm
what about:
http://www.google.com/calendar/events?state=mode%3Dweek,7&q=password+intranet&ql=&qt=&qtd=&sa=N&page=vl&afp=4a642bfcbf45e7bf
April 17th, 2007 at 2:43 pm
also try this one:
http://www.google.com/calendar/events?state=mode%3Dweek%2C7&q=username+password&btnG=Search+Public+Events&ql=&qt=&qtd=
April 17th, 2007 at 10:26 pm
Hi, I’m the product manager for Google Calendar. Please take a look at my comments on this issue here:
http://www.computerworld.com/comments/node/9016920#comment-6216
Thanks,
Shirin Oskooi, Google Calendar
April 18th, 2007 at 12:24 am
Shirin,
While I’m glad y’all are paying attention to posts such as this, I think Rsnake’s is talking more about how people use social networking sites than an application vulnerability. This looks to me to be another example of how much trouble people can cause by putting private information in a very public application. Add in that a lot of the non-tech people I talk to say things like, “Why would they (bad guys) bother with my stuff?” or “It’s just a calendar event or email. No one will see it.” In this case, they click “OK” on a warning message because it is just easier that way and they don’t think it through. They fail to understand is how technology can make that single email or event accessible to anyone who happens to be looking for similar items. Obviously, if you put a strong search engine on top of it, the things we put online become extremely visible.
I’m not sure what the fix is for something like this. Education helps some, but it’s hard for technology to compensate for a determined idiot.
September 7th, 2007 at 1:16 pm
I can suggest new dork “login password” for Google Calendar ;-).
http://www.google.com/calendar/events?state=mode%3Dweek%2C7&q=login+password