Hacker News new | past | comments | ask | show | jobs | submit login
Google Calendar Event Injection with MailSniper (2017) (blackhillsinfosec.com)
117 points by andrewaylett 57 days ago | hide | past | web | favorite | 70 comments

I've received a bunch of calendar invites for "Free i PhoneXs from AppleStore" with a malicious link. Seems like this is now being used for phishing attacks.

I believe API abuse can be reported -- https://support.google.com/code/contact/cloud_platform_repor...

Was having the same problem. Fixed it by disabling the adding events from Gmail automatically according to the Google instructions. I would rather choose what hits my calendar anyway.


If people prefer a more visual guide I've created one here: https://flowshare.io/flow/how-to-block-spam-invitations-from...

I wish you could whitelist instead of just having a black or white option. My SO and parents I can trust to inject events (keeping track of stuff they've planned but I forgot is 90% of my use of Google Calendar honestly) but now that spammers have discovered Calendar as another place to spam/phish it's less hands off.

I'm getting the same spam/events. What's really weird is I'm pretty sure all of these emails are getting sent to spam but gmail/gcal is still adding the events to the calendar.

Should be opt-in if someone can just send crap to my calendar maliciously.

I can confirm it's being actively exploited this morning (I had a few folks I know complain about it). I think I should point out that the article was written in 2017 (!!!), and Google responded that this is a "feature".

Thank you to OP!

I'd never received one of these until this morning, at about the same time I read this article. Now I just received the same one as you :P

Same here! Killed my morning in to work time on train sorting this out.

I've been getting a lot more recently - seemingly being added from Gmail spam (either that or I'm getting directly injected calendar spam and the same as emails coming through). I don't want to turn off syncing as actual bookings being automatically added are useful.

I'm wondering about this as well as I've been seeing it for at least a year.

Are the events added before the email is sorted into spam? If so I wish the calender hook didn't trigger until the email reaches my "real" inbox. But I have no insight into the gmail lifecycle.

Got some too. What's super weird though, these calendar invites appear to have been sent from my iCloud email address to my gmail address, and also appear in the sent folder of my @me.com address: https://i.imgur.com/tz2TUh5.png

Anyone else can check in your gmail spam folder if you have those emails too and where they came from?

In that case, I'm going to hazard a guess that your iCloud email address was actually compromised, and is being used to send it to every address in your contacts.

Same happened to me last night, I reviewed all my access rights on security.google.com, couldn't find anything wrong. Reviewed my calendar access rights, couldn't find anything wrong.

Glad to have an explanation for this phenomenon.

Didn't expect a HN post about it so quick (fairly new here still), but yup it seems entirely spam that completely bypasses normal email filters.

I didn't either. What surprised me more is the post is from 2017.

Same thing here, exact same ad, I reported it as spam.

Invites are set up as a recurring event, so make sure to delete all the events. You can do a search to find any leftover.

If you go to the website you can mark it as spam. Then all occurrences of events from the same sender will be deleted. However there's nothing to stop spammers from sending multiple separate events from "different" senders...

I had to go into the Gmail UI to report the event as spam and seems to have fixed the issue for me.

in the process disabled the automatic fetching of events from my emails which was causing double bookings; ahh!

I just got like 10 of these iPhone ones overnight.

Got the same thing just yesterday.

Hey everyone - Seth here from Google. I'm sorry to hear this is happening. This post is from November 2017, and we've taken steps to reduce calendar spam. If you have specific invitations that came with an email, please forward the entire email to abuse@google.com. If it did not come with an email, please copy the calendar details and a screenshot into an email and send it to abuse@google.com.

You can use this form for reporting mail/calendar abuse: https://support.google.com/mail/contact/abuse

I've received a few myself and hit the spam button on the calendar events. I'd hope you are looking at that bucket too.

If it comes via email and you do not recognize the sender, please also mark them as spam. If you do recognize the sender, please reach out and encourage them to change their password and revoke any third-party apps they might have authorized to use their account.

If I don't see it in my inbox but I do see it in my calendar, does that rule out "came via email"? Or do I need to check spam folder too?

I've never been able to track down an email and if I do it's from calendar@google.com or something along those lines. These are people somehow inviting you directly through an invite and you never get an email.

I had this happen about 5 times over the last 2 weeks. I've disabled everything I could in all of my calendars now (including Samsung which I missed).

Incredibly frustrating because I can't even BLOCK the person/bot sending this.

I got this too!

Quite sure my account is not compromised, have 2fa and a keepass password. The invites appear to be sent from my own e-mail address. Is this a separate issue? No third part access to calendar either.

This requires going into my google calendar, i suppose. I have my iphone calendar synced where there is no such option.

Impossible? No. Inconvenient and a pain in the ass? Yes.

In the last weeks, I had several events on my Google Calendar that I did not create or accepted. They looked like they were in Russian, but I can't be sure. I marked as spam and deleted them, of course, but the next week a different one appeared. Anyone else is going through the same and have any advice?

Same here, and I suspect this article explains the mechanism.

For weeks, I've been getting escalating numbers of events. It is up to 4 or 5 new invites per day, each with daily repeats. My calendar settings are locked down (eg "Events from Gmail" off) and already have 2FA on the account. Next step for me is to delete gmail calendar entirely.

I went to bed last night with a clean calendar, this morning I have 3 spam invites - 2 in Cyrillic alphabet, one "You have won iPhoneXs. Gotta love 3:55 AM wake-up alerts...

Had the same happen, searched around and it seemed to be caused by the Gmail feature that automatically creates events from invitation emails you receive, even if they land in spam. Spammers seemed to be using that to their advantage, so I just turned the feature off.

EDIT: The original article covers this and more, go read it :)

Yes, I read the original article and I turned off the feature, but it keeps happening. Thank you anyway!

I’ve had the exact same happen to me with calendar events a couple times.

I also got added to what looked like a Russian Hangouts group chat with over 100 people in it.

Same here, I had 3 recurring events about an iPhone X sale or some other spam come in my calendar in the past 2 weeks.

Got hit by this. Super annoying. It's not through email. It just showed up in calendar. There's no way to know the original scheduler and no way to mark it as spam.

There's a variant to this, the calendar event triggered by an event invitation. Again no way to delete it except decline the event. Should have a report spam button in the calendar app.

Agreed the app could use it. The report as spam capability is in the web version and works.

I second this. It took awhile to get to a web interface, and in the meantime, the event and links were large enough in daily / details view to constitute a legitimate mis-tap threat vector.

Could someone please add [2017] to the title?

Not sure what happened in the nearly two years since this post went public. But at least we would now, that this is not a current disclosure.

There has been a fresh wave of folks exploiting it recently (I have had a few people complain in the past 12 hours about calendar spam). Google apparently stands by the fact that it is a "feature"

It is convenient if it's not getting spammed. I use it to passively keep track of things my SO or parents have planned like coming up to visit or other random events. With calendar injection they just show up and I don't have to constantly wade through my over cluttered gmail (side effect of having it for almost 15 years now).

Lots of things are convenient until they are abused. SMTP without SPF or DKIMS is convenient if its not being spammed. Http is fine for authentication until its being eavesdropped on.

There is a middle ground. Allowing random people to plop stuff on your calendar via an API call is not the best idea. I personally have had to tell five different people how to stop this sort of spam, I don't think they'd agree it's convenient.

Added. Thanks!

Fun fact, this has been an issue since 2011:


And the post is from 2017 but there's been a resurgence of these spam invites within the last few days. I received 2 of them yesterday.

A Report SPAM button on calendar invites would seem to be in order, so I don't have to manually delete each of these from the same address, and so Google can ban the offending account quickly.

Edit: it appears you can do this on desktop but not mobile: https://support.google.com/calendar/answer/6110973?co=GENIE....

>A Report SPAM button on calendar invites would seem to be in order

there is one, and it works exactly like that. A single spam report kills all of the events from that sender.

The fact that we now need a spam button on our calender is ridiculous.

How long until advertisers pay <calendar provider> to add events to our calendars such as take Mom to <resturant> for Mother's Day, Watch <movie> on its release day, Go To <store> on its grand opening, etc?

(Please take this as a warning, not a "feature" suggestion.)

exactly, why on earth is there no "Report Spam" button on mobile?!

Kudos to BHIS for the post and detail. I've been seeing these pop into my Google Calendar randomly for the past few weeks; obvious phishing attacks. You can easily delete them of course, but definitely an annoyance.

How are they not sending an email but putting stuff in my calendar?

When a friend sends me an invite on Google from their Gmail to my Gmail, I get an email.

I didn't think there was another mechanism.

Check your spam folder, I believe this technique works even if the email was sent to spam.

I had a ad on my calendar yesterday and Ihad no idea how it got there as I never agreed to anything,. Wonder if this was the method

Same here, mine was from a spam email that hadn't been caught properly by Gmail and was later removed. Really great article, didn't know about the 3 settings which would have stopped me getting the notification as not accepted.

> Oct 31 – Google responds stating it’s a feature and the settings provide users the ability to disable

I mean, I can understand the benefit of the feature. Isn't it impractical though that the only options are everything (including spam/injected events) or nothing? Why even have the feature then if they're not going to provide any mitigation?

I received the iPhone xs event today and it has motivated me to abandon the gsuite entirely.

It was the straw that broke the camel's back.

Try logging into the firebase console. I had been added to two spam projects there. Filed a support request 2 days ago to get removed from them (as I cannot remove myself) and got a response saying 'we are looking into this'... now silence.

Thanks for highliting this. This isn't getting required attention from Google.

What happens when SPAM events are sent to Office365 users?

This advisory has no mitigation it appears. Does anyone have one? I presume one can simply turn this feature off entirely somehow?

1) Sign in to https://calendar.google.com/ in the browser

2) Click the Settings Gearwheel then Settings

3) Click Event Settings and set "Automatically add invitations" to "No, only display invitations to which I have replied"

Edit: if you want to disable event auto-add from Gmail while you're at it, click Events from Gmail then untick "Automatically add events from Gmail to my calendar"

Note that this only solves it for you.

If you have fully shared your calendar (i.e. to a spouse / partner) then even though they are not displayed for you they are still displayed to your partner.

There remains no decent way to ensure no-one sees the spam.

This is mentioned in the article along with a way for spammers to get around it.

"There is an option that states “No, only show invitations to which I have responded”. This prevents the first method of injecting events from working. However, BHIS found that it is possible to set the target’s response status to “Accepted” using the Google API. This effectively bypasses this security setting."

My bad, it was a little hidden, sentence beginning "There are a few settings that can be set within Google Calendar to prevent events from automatically being added to the calendar".

There would be no problem at all if Google didn't have a bug when it adds events from spam emails into my calendar.

I got 100 events in my calendar warning me to go get my phone at the repair and a suspicious link with it. It sucks.

What I want to know is why the hell did Google ever think this was a good idea? I hardly even use Google Calendar and yet I had a spam notification about an "iPhone X" delivered direct to me.

The most amazing thing about this is only that spammers didn't exploit it earlier. Or maybe they did but kept a lower profile?

It's a convenience thing. Without spam invites it's super nice to have events from friends and family pop up without having to make sure I didn't miss anything.

Friends and family, sure. But why should a random stranger who has never contacted me before be able to place events in my calendar without my consent? Why is that even the default behavior?

The easy fix would just be to change the default behavior to not showing invites from unknown addresses.

Same here, same ad - just notified abuse@google

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact