Google has finally acknowledged vulnerability in the Google Calendar app that left more than a billion users open to a credential-stealing exploit.
In 2017, two cybersecurity researchers at Black Hills Information Security had informed and demonstrated how they exploited the vulnerability in gaining access to the users credentials.
The vulnerability has put 1.5 billion users at risk.
A Google spokesperson responded to the researcher’s findings that “Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse.”
Google is informing all its users about ”security protections for users by warning them of known malicious URLs via Google Chrome’s Safe Browsing filters.”
The Vulnerability inside Google Calendar allows anyone to schedule a meeting with you, and Gmail is built to integrate with calendaring functionality.
When a user get an invitation on the calendar, a pop-up notification appears on their smartphone. Hackers could create a messages that include a malicious link, and these links can direct users to a fake online poll or questionnaire with a financial incentive to participate and where bank account or credit card details can be collected.
“Beyond phishing, this attack opens up the doors for a whole host of social engineering attacks,” Javvad Malik, a security awareness advocate at KnowBe4.