Hacking Google Calendar - anyone can do it
Chris Pirillo writes about a security issue in the latest Google Calendar feature, which lets you search for public events directly from Google Calendar. It is not a security breach, but it is a problem, because many users seem to leave their user names and passwords in their reminders.
Here’s how it works. Enter “username password“, “user password“, or anything similar into the public event search. The very first result currently gives out the user name and password for a Gmail account, and there are many more similar examples. Why does this happen? Because people go public with their Google Calendar, forgetting that they might have some sensitive info in there.
Results of search for “username password”. Actual user names and passwords are edited.
The problem stems from the fact that Google Calendar allows you to have a private or a public calendar, or to share it with specific users. People being lazy as they are probably want to share some info only with specific users, but they don’t bother entering their e-mails, and choose the “public” option instead.
Google’s hands are clean here: they have the options, and they display a warning before someone turns their calendar public. But, it seems that the warning doesn’t work for many, so Google should definitely consider adding an additional warning, or adding an option to share the calendar with all the people in your Gmail account, but not anyone else.
April 23rd, 2007 at 7:06 am
As you said the problem isn’t really with Google its with the users, isn’t it always!
Its much the same as when Joe Public started using p2p applications, most of the initial applications would prompt you during setup to select a folder for storing/sharing files from.
So many people selected C:\ rather than going through the hassle of setting up a new folder to store downloads/shared files. And then claimed the p2p applications created a security hole which allowed people to steal sensitive files from their computer.
Many users will counter with the fact that they “don’t want to learn, it should just do what I want it to” which is something web developers are always striving for, the best possible usability. But as with anything its a balance.
Protect the users by not allowing them to make documents/calenders/etc globally public and you will have people moaning that their Auntie Jane can’t view their latest cats pictures as she doesn’t have a google account.
Let them make things globally public and then we get the situation above.
My own personal opinion, screw ‘em
If they can’t be bothered learning the little it takes about an application to know that this kind of thing is a bad idea then perhaps they need a short sharp lesson on internet security and preventing identity fraud 
April 23rd, 2007 at 9:28 am
@Aaron: I agree that this is not Google’s fault, unlike some other bloggers who declared that this is a major oversight on Google’s part. Actually, this is nothing new: you can do very similar “hacks” with Google Search, and it requires an astoundingly low amount of knowledge to use them. However, when something is as obvious as this, perhaps Google should take some steps to additionally warn users about it.
April 23rd, 2007 at 12:59 pm
[…] Hacking Google Calendar - anyone can do it Here’s how it works. Enter “username password“, “user password“, or anything similar into the public event search. The very first result currently gives out the user name and password for a Gmail account, and there are many more similar examples. Why does this happen? Because people go public with their Google Calendar, forgetting that they might have some sensitive info in there. Google Security […]
April 23rd, 2007 at 2:04 pm
Hello,
We at the Calgoo office use Google Calendar in a business setting. As stated the privacy issues are not with Google but the users of Google Calendar not knowing how to use the product.
You state that “perhaps Google should take some steps to additionally warn users about it.” and anyone would be hard pressed not to agree with you on that point. It seems that even Google agrees and has taken steps to be more clear in regards to how use the settings in Google Calendar.
The biggest problem we as Google users may run into in time is that if things are made so safe, and so basic to save people from making these mistakes, we may limit the powerful nature of some of these products.
- Calgoo
www.calgoo.com
April 23rd, 2007 at 10:44 pm
[…] Un hacking de lo más tonto: como la gente no sabe lo que guarda en Google, y esto de autorizar contacto-a-contacto es pesado (más fácil hacerlo público para todo el mundo), si se busca username y password se obtienen los datos de varias cuentas. Je. […]
March 22nd, 2009 at 8:00 pm
hello
just thanks
March 22nd, 2009 at 8:11 pm
hello
just thanks
April 6th, 2009 at 8:10 am
It sounds like you’re creating problems yourself by trying to solve this issue instead of looking at why their is a problem in the first place
April 8th, 2009 at 11:31 pm
Not that I’m totally impressed, but this is more than I expected when I found a link on Delicious telling that the info is quite decent. Thanks.
April 15th, 2009 at 9:11 am
After reading through this article, I just feel that I really need more info. Can you suggest some more resources please?
June 27th, 2009 at 5:20 am
?????? ????!, ?????? ????? franticindustries.com!!
??? ? ???? ?????? ??????? ???????, ??? ??????? ?????, ??????? ?? ?????? ???????.
???? ?? ???? ??? ????????????? ?????? ????????????? ?????????? ????????
? ?????? ???????? ? ???. ????? ???-?? ?????? ??? ??? ???? ????? ????? ?? ?????? ?????? ??????? ??????
???????
June 28th, 2009 at 8:10 am
??? ?????? ????????? ??????? ?? ???????? ????? - franticindustries.com !! ?? ????? ? ?????????
June 28th, 2009 at 10:57 pm
???? ??????…, ?????? ????? franticindustries.com!!
????? ?????? ?????? ????? ?????? ? ???!! ???????.
June 28th, 2009 at 11:53 pm
?????? ????!, ?????? ????? franticindustries.com!!
????? ?????? ?????? ????? ?????? ? ???!! ???????.
June 29th, 2009 at 12:56 am
????? ?? ?????????? ?? ??? ????. ? ??? ? ???????? ? ?????????? ???? ????. ??? ? ??? ???????. ??? ???????
? ???? ???????.
June 29th, 2009 at 2:04 am
????? ?? ?????????? ?? ??? ????. ? ??? ? ???????? ? ?????????? ???? ????. ??? ? ??? ???????. ??? ???????
? ???? ???????.
June 29th, 2009 at 7:27 am
?? ???????? ????? ? ? ???? ????????. ?????? ????????? ???????, ??? ?? ??????????? ???? ???-?? ?????????? ?? ????? ?????. ? ??? ??????????, ??? ??? ?? ?????.
June 29th, 2009 at 8:24 am
?? ???????? ????? ? ? ???? ????????. ?????? ????????? ???????, ??? ?? ??????????? ???? ???-?? ?????????? ?? ????? ?????. ? ??? ??????????, ??? ??? ?? ?????.
June 29th, 2009 at 11:55 am
?????? ! ???? ??????? ? ??????… ??? ?????? ??????. ?? ????? ?? ?? ???? ??? ????????? ??????? ?
June 29th, 2009 at 7:39 pm
?????? ! ???? ??????? ? ??????… ??? ?????? ??????. ?? ????? ?? ?? ???? ??? ????????? ??????? ?
June 30th, 2009 at 3:35 am
??? ?????? ?? ?????? ) ?? ???? ?????????. ????? ????????? ? ???? ???? )
June 30th, 2009 at 4:06 am
??? ?????? ?? ?????? ) ?? ???? ?????????. ????? ????????? ? ???? ???? )