
Google Calendar Event Injection with MailSniper (2017) - andrewaylett
https://www.blackhillsinfosec.com/google-calendar-event-injection-mailsniper/
======
andrejus
I've received a bunch of calendar invites for "Free i PhoneXs from AppleStore"
with a malicious link. Seems like this is now being used for phishing attacks.

I believe API abuse can be reported --
[https://support.google.com/code/contact/cloud_platform_repor...](https://support.google.com/code/contact/cloud_platform_report)

~~~
ZoomStop
Was having the same problem. Fixed it by disabling the adding events from
Gmail automatically according to the Google instructions. I would rather
choose what hits my calendar anyway.

[https://support.google.com/calendar/answer/6084018](https://support.google.com/calendar/answer/6084018)

~~~
joshi4
If people prefer a more visual guide I've created one here:
[https://flowshare.io/flow/how-to-block-spam-invitations-
from...](https://flowshare.io/flow/how-to-block-spam-invitations-from-your-
google-calendar)

------
sethvargo
Hey everyone - Seth here from Google. I'm sorry to hear this is happening.
This post is from November 2017, and we've taken steps to reduce calendar
spam. If you have specific invitations that came with an email, please forward
the entire email to abuse@google.com. If it did not come with an email, please
copy the calendar details and a screenshot into an email and send it to
abuse@google.com.

You can use this form for reporting mail/calendar abuse:
[https://support.google.com/mail/contact/abuse](https://support.google.com/mail/contact/abuse)

~~~
rcfox
I've received a few myself and hit the spam button on the calendar events. I'd
hope you are looking at that bucket too.

~~~
sethvargo
If it comes via email and you do not recognize the sender, please also mark
them as spam. If you do recognize the sender, please reach out and encourage
them to change their password and revoke any third-party apps they might have
authorized to use their account.

~~~
wyldfire
If I don't see it in my inbox but I do see it in my calendar, does that rule
out "came via email"? Or do I need to check spam folder too?

~~~
swozey
I've never been able to track down an email and if I do it's from
calendar@google.com or something along those lines. These are people somehow
inviting you directly through an invite and you never get an email.

I had this happen about 5 times over the last 2 weeks. I've disabled
everything I could in all of my calendars now (including Samsung which I
missed).

Incredibly frustrating because I can't even BLOCK the person/bot sending this.

~~~
SCHiM
I got this too!

Quite sure my account is not compromised, have 2fa and a keepass password. The
invites appear to be sent from my own e-mail address. Is this a separate
issue? No third part access to calendar either.

------
101008
In the last weeks, I had several events on my Google Calendar that I did not
create or accepted. They looked like they were in Russian, but I can't be
sure. I marked as spam and deleted them, of course, but the next week a
different one appeared. Anyone else is going through the same and have any
advice?

~~~
MatekCopatek
Had the same happen, searched around and it seemed to be caused by the Gmail
feature that automatically creates events from invitation emails you receive,
even if they land in spam. Spammers seemed to be using that to their
advantage, so I just turned the feature off.

EDIT: The original article covers this and more, go read it :)

~~~
101008
Yes, I read the original article and I turned off the feature, but it keeps
happening. Thank you anyway!

------
ww520
Got hit by this. Super annoying. It's not through email. It just showed up in
calendar. There's no way to know the original scheduler and no way to mark it
as spam.

There's a variant to this, the calendar event triggered by an event
invitation. Again no way to delete it except decline the event. Should have a
report spam button in the calendar app.

~~~
erikerikson
Agreed the app could use it. The report as spam capability is in the web
version and works.

~~~
booleanbetrayal
I second this. It took awhile to get to a web interface, and in the meantime,
the event and links were large enough in daily / details view to constitute a
legitimate mis-tap threat vector.

------
sdoering
Could someone please add [2017] to the title?

Not sure what happened in the nearly two years since this post went public.
But at least we would now, that this is not a current disclosure.

~~~
kop316
There has been a fresh wave of folks exploiting it recently (I have had a few
people complain in the past 12 hours about calendar spam). Google apparently
stands by the fact that it is a "feature"

~~~
rtkwe
It is convenient if it's not getting spammed. I use it to passively keep track
of things my SO or parents have planned like coming up to visit or other
random events. With calendar injection they just show up and I don't have to
constantly wade through my over cluttered gmail (side effect of having it for
almost 15 years now).

~~~
kop316
Lots of things are convenient until they are abused. SMTP without SPF or DKIMS
is convenient if its not being spammed. Http is fine for authentication until
its being eavesdropped on.

There is a middle ground. Allowing random people to plop stuff on your
calendar via an API call is not the best idea. I personally have had to tell
five different people how to stop this sort of spam, I don't think they'd
agree it's convenient.

------
chronid
Fun fact, this has been an issue since 2011:

[https://support.google.com/calendar/forum/AAAAd3GaXpEE7zPvtA...](https://support.google.com/calendar/forum/AAAAd3GaXpEE7zPvtAAO9o/?hl=en&gpf=%23!topic%2Fcalendar%2FE7zPvtAAO9o)

~~~
flanbiscuit
And the post is from 2017 but there's been a resurgence of these spam invites
within the last few days. I received 2 of them yesterday.

------
djake
A Report SPAM button on calendar invites would seem to be in order, so I don't
have to manually delete each of these from the same address, and so Google can
ban the offending account quickly.

Edit: it appears you can do this on desktop but not mobile:
[https://support.google.com/calendar/answer/6110973?co=GENIE....](https://support.google.com/calendar/answer/6110973?co=GENIE.Platform%3DAndroid&hl=en&oco=1)

~~~
serf
>A Report SPAM button on calendar invites would seem to be in order

there is one, and it works exactly like that. A single spam report kills all
of the events from that sender.

------
icecap12
Kudos to BHIS for the post and detail. I've been seeing these pop into my
Google Calendar randomly for the past few weeks; obvious phishing attacks. You
can easily delete them of course, but definitely an annoyance.

------
Jonnax
How are they not sending an email but putting stuff in my calendar?

When a friend sends me an invite on Google from their Gmail to my Gmail, I get
an email.

I didn't think there was another mechanism.

~~~
Jivatman
Check your spam folder, I believe this technique works even if the email was
sent to spam.

------
NikolaeVarius
I had a ad on my calendar yesterday and Ihad no idea how it got there as I
never agreed to anything,. Wonder if this was the method

~~~
arejaytee
Same here, mine was from a spam email that hadn't been caught properly by
Gmail and was later removed. Really great article, didn't know about the 3
settings which would have stopped me getting the notification as not accepted.

------
jplayer01
> Oct 31 – Google responds stating it’s a feature and the settings provide
> users the ability to disable

I mean, I can understand the benefit of the feature. Isn't it impractical
though that the only options are everything (including spam/injected events)
or nothing? Why even have the feature then if they're not going to provide any
mitigation?

------
diveanon
I received the iPhone xs event today and it has motivated me to abandon the
gsuite entirely.

It was the straw that broke the camel's back.

------
latchkey
Try logging into the firebase console. I had been added to two spam projects
there. Filed a support request 2 days ago to get removed from them (as I
cannot remove myself) and got a response saying 'we are looking into this'...
now silence.

------
vaseem
Thanks for highliting this. This isn't getting required attention from Google.

------
vaseem
What happens when SPAM events are sent to Office365 users?

------
conatus
This advisory has no mitigation it appears. Does anyone have one? I presume
one can simply turn this feature off entirely somehow?

~~~
SturgeonsLaw
1) Sign in to [https://calendar.google.com/](https://calendar.google.com/) in
the browser

2) Click the Settings Gearwheel then Settings

3) Click Event Settings and set "Automatically add invitations" to "No, only
display invitations to which I have replied"

Edit: if you want to disable event auto-add from Gmail while you're at it,
click Events from Gmail then untick "Automatically add events from Gmail to my
calendar"

~~~
buro9
Note that this only solves it for you.

If you have fully shared your calendar (i.e. to a spouse / partner) then even
though they are not displayed for you they are still displayed to your
partner.

There remains no decent way to ensure no-one sees the spam.

------
hkai
There would be no problem at all if Google didn't have a bug when it adds
events from spam emails into my calendar.

------
jeanlucas
I got 100 events in my calendar warning me to go get my phone at the repair
and a suspicious link with it. It sucks.

------
ChrisSD
What I want to know is why the hell did Google ever think this was a good
idea? I hardly even use Google Calendar and yet I had a spam notification
about an "iPhone X" delivered direct to me.

The most amazing thing about this is only that spammers didn't exploit it
earlier. Or maybe they did but kept a lower profile?

~~~
rtkwe
It's a convenience thing. Without spam invites it's super nice to have events
from friends and family pop up without having to make sure I didn't miss
anything.

~~~
funciton
Friends and family, sure. But why should a random stranger who has never
contacted me before be able to place events in my calendar without my consent?
Why is that even the default behavior?

The easy fix would just be to change the default behavior to not showing
invites from unknown addresses.

------
J_cst
Same here, same ad - just notified abuse@google

