Thousands of Google users are exposing the contents of their calendars to the public. The information is indexed by search engines and can include email addresses as well as private events from individuals and businesses.

The problem is due to misconfiguring Google Calendar to share its contents with others. However, making the data public means that anyone with your Calendar link can access it.

Google shows a warning about this but thousands of users seem to ignore it, allowing their calendars to be available in public searches. Even organizations appear to disregard the notification, ending up disclosing business-related information to the world.

Dorks are powerful

Avinash Jain, a security researcher from India working for e-commerce company Grofers discovered that using advanced search parameters (dorks) on Google can reveal meetings, interviews, events, internal information, presentation links, and locations for some companies.

He discovered over 200 calendars exposing information that should remain private, yet it was indexed by Google.

Avinash has experience at finding unprotected details using readily available methods. Putting his skills to work, he previously found a way to discover misconfigured Jira servers used by big-name companies such as Google, NASA, Lenovo, 1Password, Zendesk, or Yahoo!.

Finding if a specific calendar is openly accessible is as easy as running a particular query that includes the owner's email address, the researcher discloses in a blog post today. Uncovering all open calendars indexed by Google requires a more general search:

inurl:https://calendar.google.com/calendar?cid=

Using this query, at the time of writing Google lists over 7,000 results. Not all the calendars have entries, though, and it's a matter of going through them manually to find one that has sensitive information.

Avinash was able to find troves of sensitive details from doctors' offices, individuals, and organizations. Some of them he was able to add to his calendar are available below:

Needless to say that a company leaking specifics of their meetings, links to internal presentations, or email IDs would put itself at a risk. Not just competitors could glean these details, but crooks could use them to plan a cyber attack.

Reveal only current status

Avinash told BleepingComputer that he disclosed the issue to Google, but the company replied that this is how the product is intended to work, so it is up to users to protect their data.

He also reported an open calendar to a company that rewarded him for his private disclosure. The researcher could not reveal the name of the company and the amount received.

Another researcher, though, reporting the same type of issue to Shopify got a $1,500 bounty earlier this year. He was able to glean the following details from the exposed calendar:

New hire information

Internal presentation

Zoom meetings link

Some users may need to share their calendars to make their schedule known to others and reduce the risk of impromptu requests or activities that would disturb their workflow.

A solution is to set your calendar to share minimum information about your schedule, disclosing only if you're busy or available. This is particularly recommended to GSuite admins who handle the calendars of people in an organization.

Google provides easy-to-follow steps to manage sharing options for users as well as to limit what and how much they can share internally and externally.

Update [09/17/2019, 17:31 PM EST]: A Google representative providing a statement highlighting that Calendars are private by default for both G Suite and consumer users.