Chris Pirillo writes about a security issue in the latest Google Calendar feature, which lets you search for public events directly from Google Calendar. It is not a security breach, but it is a problem, because many users seem to leave their user names and passwords in their reminders.
Here’s how it works. Enter “username password“, “user password“, or anything similar into the public event search. The very first result currently gives out the user name and password for a Gmail account, and there are many more similar examples. Why does this happen? Because people go public with their Google Calendar, forgetting that they might have some sensitive info in there.
Results of search for “username password”. Actual user names and passwords are edited.
The problem stems from the fact that Google Calendar allows you to have a private or a public calendar, or to share it with specific users. People being lazy as they are probably want to share some info only with specific users, but they don’t bother entering their e-mails, and choose the “public” option instead.
Google’s hands are clean here: they have the options, and they display a warning before someone turns their calendar public. But, it seems that the warning doesn’t work for many, so Google should definitely consider adding an additional warning, or adding an option to share the calendar with all the people in your Gmail account, but not anyone else.
As you said the problem isn’t really with Google its with the users, isn’t it always!
Its much the same as when Joe Public started using p2p applications, most of the initial applications would prompt you during setup to select a folder for storing/sharing files from.
So many people selected C:\ rather than going through the hassle of setting up a new folder to store downloads/shared files. And then claimed the p2p applications created a security hole which allowed people to steal sensitive files from their computer.
Many users will counter with the fact that they “don’t want to learn, it should just do what I want it to” which is something web developers are always striving for, the best possible usability. But as with anything its a balance.
Protect the users by not allowing them to make documents/calenders/etc globally public and you will have people moaning that their Auntie Jane can’t view their latest cats pictures as she doesn’t have a google account.
Let them make things globally public and then we get the situation above.
My own personal opinion, screw ‘em
If they can’t be bothered learning the little it takes about an application to know that this kind of thing is a bad idea then perhaps they need a short sharp lesson on internet security and preventing identity fraud 
@Aaron: I agree that this is not Google’s fault, unlike some other bloggers who declared that this is a major oversight on Google’s part. Actually, this is nothing new: you can do very similar “hacks” with Google Search, and it requires an astoundingly low amount of knowledge to use them. However, when something is as obvious as this, perhaps Google should take some steps to additionally warn users about it.
Hello,
We at the Calgoo office use Google Calendar in a business setting. As stated the privacy issues are not with Google but the users of Google Calendar not knowing how to use the product.
You state that “perhaps Google should take some steps to additionally warn users about it.” and anyone would be hard pressed not to agree with you on that point. It seems that even Google agrees and has taken steps to be more clear in regards to how use the settings in Google Calendar.
The biggest problem we as Google users may run into in time is that if things are made so safe, and so basic to save people from making these mistakes, we may limit the powerful nature of some of these products.
- Calgoo
www.calgoo.com