Over a Billion Google Calendar Users Are Still at Risk of Hacking

Back in 2017, researchers from Black Hills Information Security revealed a flaw in the Google Calendar App which left more than a billion users unprotected against hackers.

Since May this year, hackers have been sending invites to Google Calendar users in order to take advantage of a feature which automatically adds the invites to the user’s Gmail inbox and notifies them.

These invitations usually include URLs which lead to a phishing website. Forbes’ cybersecurity reporter Davey Winder reported the issue again this year as Google did not fix the issue as it would cause “major functionality drawbacks”.

Google’s Response

In their reply to Winder, Google said,

Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse. Google offers security protections for users by warning them of known malicious URLs via Google Chrome’s Safe Browsing filters.

Google is reportedly working on a fix for the oversight but has not disclosed when the fix will arrive. In a post, the company added,

We’re aware of the spam occurring in Calendar and are working diligently to resolve this issue. We’ll post updates to this thread as they become available. Learn how to report and remove spam. Thank you for your patience.

The post then takes the user to another page where it shows them how to report unwanted invites.

How to Avoid This Issue

To protect yourself from these scams, you can change how your Google Calendar app handles invitations. Open the desktop version of the calendar then click on the ‘cog’ icon followed by the settings menu, Event settings, then change “Automatically add invitations” to “No, only show invitations to which I have responded.”

This will help you avoid spam notifications but this isn’t a permanent solution.