Great Google-ly Moogly - Google finally starts development on patch for 1.5 billion users

[rcmaehl]

Source:
Forbes (quote source)

Summary:
A vulnerability/feature, discovered in 2017, allowing easy social engineering of Gmail and Google Calendar users is now being patched.

 

Quotes/Excerpts:

Quote

Back in 2017, two researchers at Black Hills Information Security disclosed how a vulnerability in the Google Calendar app was leaving more than a billion users open to...credential-stealing. Google apparently didn't fix this at the time as it would have caused "major functionality drawbacks"..., despite those researchers demonstrating how they had weaponized the vulnerability at the Wild West Hackin' Fest. A sophisticated scam which leverages misplaced trust through the use of malicious and unsolicited Google Calendar notifications. Google Calendar allows anyone to schedule a meeting with you, and Gmail is built to integrate tightly with this calendaring functionality. The threat actor can use this non-traditional attack vector to bypass the increasing amount of awareness amongst average users when it comes to the danger of clicking unsolicited links. When a calendar invitation is sent to a user, a pop-up notification appears on their smartphone. The threat actors craft their messages to include a malicious link, leveraging the trust that user familiarity with calendar notifications brings with it. "Beyond phishing, this attack opens up the doors for a whole host of social engineering attacks,"  To gain access to a building, for example, an attacker could use a calendar invite for an interview or a building maintenance appointment which, he warned, "could allow physical access to secure areas." Now, it would appear, Google is finally taking this threat methodology somewhat more seriously. In a posting to the Google Calendar Help Community forum, Lesley Pace, a Google Employee, states that "We're aware of the spam occurring in Calendar and are working diligently to resolve this issue. We'll post updates to this thread as they become available." Although I am sad that Google is still referring to this as a spam issue, rather than explicitly a security one.

 

My Thoughts:

I'm glad to see Google finally fixing this. It is an attack surface a user is less likely to be wary of. They probably get calendar invites every day if their company is using G Suite, so why NOT trust the new invitation or activity that appeared on your calendar? Going after people is the best way to get into anything as we truly are the weakest link of any security system.

[rcmaehl]

6 minutes ago, VegetableStu said:

I've heard complaints about this ._. why did it take them up to now to decide that's a thing

It's the users' fault they got social engineered

 

- Google, probably

[RejZoR]

Though blaming Google for ppl falling to social engineering is a bit funny. If the bad guy is crafty enough, they can pull it off with anything, anywhere.

[Crowbar]

Terrible company has terrible patching policies.

 

Who would of thought?

[Velcade]

I've been getting added to calendars for spam shit recently.  Click here for an iphone popping up on my calendar everyday.  They've finally stopped but for a week it was hell.