I believe API abuse can be reported -- https://support.google.com/code/contact/cloud_platform_repor...
Thank you to OP!
Are the events added before the email is sorted into spam? If so I wish the calender hook didn't trigger until the email reaches my "real" inbox. But I have no insight into the gmail lifecycle.
Anyone else can check in your gmail spam folder if you have those emails too and where they came from?
Glad to have an explanation for this phenomenon.
in the process disabled the automatic fetching of events from my emails which was causing double bookings; ahh!
You can use this form for reporting mail/calendar abuse: https://support.google.com/mail/contact/abuse
I had this happen about 5 times over the last 2 weeks. I've disabled everything I could in all of my calendars now (including Samsung which I missed).
Incredibly frustrating because I can't even BLOCK the person/bot sending this.
Quite sure my account is not compromised, have 2fa and a keepass password. The invites appear to be sent from my own e-mail address. Is this a separate issue? No third part access to calendar either.
Impossible? No. Inconvenient and a pain in the ass? Yes.
For weeks, I've been getting escalating numbers of events. It is up to 4 or 5 new invites per day, each with daily repeats. My calendar settings are locked down (eg "Events from Gmail" off) and already have 2FA on the account. Next step for me is to delete gmail calendar entirely.
I went to bed last night with a clean calendar, this morning I have 3 spam invites - 2 in Cyrillic alphabet, one "You have won iPhoneXs. Gotta love 3:55 AM wake-up alerts...
EDIT: The original article covers this and more, go read it :)
I also got added to what looked like a Russian Hangouts group chat with over 100 people in it.
There's a variant to this, the calendar event triggered by an event invitation. Again no way to delete it except decline the event. Should have a report spam button in the calendar app.
Not sure what happened in the nearly two years since this post went public. But at least we would now, that this is not a current disclosure.
There is a middle ground. Allowing random people to plop stuff on your calendar via an API call is not the best idea. I personally have had to tell five different people how to stop this sort of spam, I don't think they'd agree it's convenient.
Edit: it appears you can do this on desktop but not mobile: https://support.google.com/calendar/answer/6110973?co=GENIE....
there is one, and it works exactly like that. A single spam report kills all of the events from that sender.
How long until advertisers pay <calendar provider> to add events to our calendars such as take Mom to <resturant> for Mother's Day, Watch <movie> on its release day, Go To <store> on its grand opening, etc?
(Please take this as a warning, not a "feature" suggestion.)
When a friend sends me an invite on Google from their Gmail to my Gmail, I get an email.
I didn't think there was another mechanism.
I mean, I can understand the benefit of the feature. Isn't it impractical though that the only options are everything (including spam/injected events) or nothing? Why even have the feature then if they're not going to provide any mitigation?
It was the straw that broke the camel's back.
2) Click the Settings Gearwheel then Settings
3) Click Event Settings and set "Automatically add invitations" to "No, only display invitations to which I have replied"
Edit: if you want to disable event auto-add from Gmail while you're at it, click Events from Gmail then untick "Automatically add events from Gmail to my calendar"
If you have fully shared your calendar (i.e. to a spouse / partner) then even though they are not displayed for you they are still displayed to your partner.
There remains no decent way to ensure no-one sees the spam.
"There is an option that states “No, only show invitations to which I have responded”. This prevents the first method of injecting events from working. However, BHIS found that it is possible to set the target’s response status to “Accepted” using the Google API. This effectively bypasses this security setting."
The most amazing thing about this is only that spammers didn't exploit it earlier. Or maybe they did but kept a lower profile?
The easy fix would just be to change the default behavior to not showing invites from unknown addresses.