If you use Google Calendar, you might be one of the thousands of users inadvertently exposing the content on your calendar to the public.
How? Well, Google Calendar has multiple features for sharing a calendar. If you choose to share your calendar, there’s this an option to “make it available to the public.” It’s worth noting that when you make your calendar public, Google displays a warning dialog that states:
“Making your calendar public will make all events visible to the world, including by way of Google search. Are you sure?”
Sadly, most people, and organizations, ignore this warning. As a result, they end up disclosing business-related information to the world because their calendar is available in public searches.
Although no actual vulnerability exists in Google Calendar, Google has come under fire for the “make it public” feature tied to its Google Calendar service — many critics view it as a privacy violation.
One such critic is Avinash Jain, a security researcher from India.
Jain discovered over 200 calendars exposing information that should remain private. He detailed his findings in a blog post and believes that Google’s Calendar settings don’t sufficiently warn users that sharing a Google Calendar with others using a link can expose that calendar to the public – also making the link available to be indexed by Google.
“Users might have intended to make their calendar public for particular company people, and just shared the URL with them, but instead it is indexed and findable using Google search,” Jain says, in a statement to Forbes.
This is not the first time that concerns have been raised about Google’s “make it public” feature.
But, for Jain and many others, one of the major concerns is that Google doesn’t notify the creator of a public Calendar when someone accesses it or adds an event to it. Therefore, users may not be aware that they are exposing information and unintentionally opening themselves up to spammers and phishers.
Even worse, anyone using an advanced Google search query (Google Dork) can find all publicly available Calendars within seconds and access sensitive data.
“Various calendars belonged to many of the top 500 Alexa company’s employees as well, which intentionally/unintentionally we made public by the employees themselves,” Jain says.
So, how can you keep your information safe?
If you must share your Calendar, we recommend sharing as little information about your schedule as possible — only disclose if you’re busy or available. And if you want to share your calendar privately, Google has a feature, which allows you to invite specific users by adding their email addresses under Calendar settings.