Google Calendar Security Hole
by irms
It’s entirely possible that this problem exists in all major calendar platforms, and I’ve just called Google out for no reason, but I’ve recently had need to work extensively with the Google Apps platform (which I love, by the way), and came across a couple of interesting bits. Here’s one of them:
Other people can accept calendar invitations that they have no business accepting. In other words, with the right link, I can accept an invitation on your behalf. Here’s a quick proof (all done using Google’s web interface):
- Send your buddy (we will call him Ryan) a calendar invitation to a bogus event.
Add guests to calendar event
- When Ryan gets the email notification, ask him to simply reply to the message. He doesn’t need to write a message, just have him reply to it.
- Now from his reply in YOUR EMAIL, click “Yes” to accept the invitation that YOU SENT TO HIM.
Click yes to add event
- You’ve just put your own event on Ryan’s calendar, without his approval.
What’s that about? You can imagine how this could become a problem if you were emailing several people at once. Anyone of them could use that link to add the event to your calendar. PLUS the default settings automatically send emails to the event organizer (you, in this case), so if people want to toy with you, they can change your answer back and forth from “Yes” to “No” to “Maybe” all night long.
Works across domains too.
But you know what? I don’t think it should work at all.
It’s not a hole, per se. The calendar invites have to go to people with no previous relationship with Google, so all the authority is necessarily bundled up in that link. It’s a capability (see http://en.wikipedia.org/wiki/Capability_security).
You can think of that URL as an object reference: only actors with the reference to the object can invoke its public methods. Forwarding an email is how you delegate authority in that model. The trouble is that not many people are familiar with it, so they make improper decisions based on their faulty understanding.
Although they obviously need to change how much authority that link grants–it should only allow the holder to accept or ignore the invitation.
Hi Mike,
Thanks for stopping in.
While I see your point, when one inadvertently delegates power to act on one’s behalf, that’s a security problem. It’s true that the system needs to accommodate users having no previous relationship with Google, leaving the channel wide open is certainly not the way to do it (which we agree on).
There must be a better way.
Don’t share the link if you don’t want people using it. There’s no way around having it all be encapsulated in the link like that if they want to ensure users not affiliated with any service can use it.
Sure. Let’s tell that to all the users who don’t expect it to work that way.
The functionality here is about the way one expects it to work, versus how it does. There is a gap.