Cenzic 232 Patent
Paid Advertising
web application security lab

Internal Info Leak Via Google Calendar

Someone sent over an interesting issue that I hadn’t seen before. Due to the way people use Google’s calendaring function they are vulnerable to having corporate information leaked - including intranet addresses, dial-in information (including passcodes) as well as anything else they type in. Pretty scary actually as I think most of the people using this think their information is private somehow:

Inspired by http://johnny.ihackstuff.com/ghdb.php I decided to type “passcode intranet” on Google Calendar public search. one of the result is
http://www.google.com/calendar/events?state=mode%3Dweek,7%26date%3D20070415&q=passcode+intranet&ql=&qt=&qtd=&sa=N&page=vl&afp=8690e067387d3463

*Internal Communication Weekly Meeting*
*Agenda:**
http://devcentral.intranet.mckinsey.com/products/PeopleSystems/internal-com

Dial In:

Moderator passcode: 2859485
Participant passcode: 874129

Local - UK, London: +44 (0)20 7784 1013
Local - USA, New York: +1 718 354 1113*

Openly telling ppl about passcode, intranet sites etc.
WoW!

Not so good. This is pretty much exactly the kind of recon necessary to start doing industrial espionage. Weekly meetings that discuss key internal information? Not looking good. Sometimes you see major leaks in the least likely places. In fact, if you search for some of these key words in other corporate acceptable social networking sites, I bet you’d find a lot of the same issues. Nice find!

7 Responses to “Internal Info Leak Via Google Calendar”

  1. JohnMu Says:

    Actually, this used to be much worse — in the first months of Google Calendar, most events were listed in the search functions even if you were not allowed to see them. With the right search queries, you could spot password, PINs, phone numbers, doctors appointments, etc — you could even limit them to certain users (provided you knew their login names) if you wanted to check what they were doing (and you knew keywords to query with).

    That part has thankfully been fixed for a long time. I was surprised that nobody made a big fuss about it back then, but perhaps only a few were curious enough to search for things they shouldn’t see :-). When I had time to report it to Google, it was already locked down much better.

  2. Awesome AnDrEw Says:

    Combine that with a bit of social engineering and you’ve got yourself some insider tips.

  3. dusoft Says:

    what about:
    http://www.google.com/calendar/events?state=mode%3Dweek,7&q=password+intranet&ql=&qt=&qtd=&sa=N&page=vl&afp=4a642bfcbf45e7bf

  4. dusoft Says:

    also try this one:
    http://www.google.com/calendar/events?state=mode%3Dweek%2C7&q=username+password&btnG=Search+Public+Events&ql=&qt=&qtd=

  5. Shirin Oskooi Says:

    Hi, I’m the product manager for Google Calendar. Please take a look at my comments on this issue here:
    http://www.computerworld.com/comments/node/9016920#comment-6216

    Thanks,
    Shirin Oskooi, Google Calendar

  6. Tadaka Says:

    Shirin,
    While I’m glad y’all are paying attention to posts such as this, I think Rsnake’s is talking more about how people use social networking sites than an application vulnerability. This looks to me to be another example of how much trouble people can cause by putting private information in a very public application. Add in that a lot of the non-tech people I talk to say things like, “Why would they (bad guys) bother with my stuff?” or “It’s just a calendar event or email. No one will see it.” In this case, they click “OK” on a warning message because it is just easier that way and they don’t think it through. They fail to understand is how technology can make that single email or event accessible to anyone who happens to be looking for similar items. Obviously, if you put a strong search engine on top of it, the things we put online become extremely visible.

    I’m not sure what the fix is for something like this. Education helps some, but it’s hard for technology to compensate for a determined idiot.

  7. MustLive Says:

    I can suggest new dork “login password” for Google Calendar ;-).

    http://www.google.com/calendar/events?state=mode%3Dweek%2C7&q=login+password