Google which received an alert in 2017 that more than 1.5 billion of its Gmail and Calendar users were vulnerable to credential steal attacks has finally reacted to the news now and has released a press statement on this regard early today.
The statement says that Google offers Cybersecurity protections to users who are using all its web services through its Google Chrome Safe Browsing filters. The tech company added that all malicious URLs which could result in phishing cyber attacks are being blocked by its servers to Gmail users on a default note.
However, the statement says that Google did not fix the vulnerability on its Calendar services as it could result in the functionality drawbacks for its users.
How the attack vector works
In general, Google Calendar allows users to schedule a meeting with a person and reminds them by sending an official invite. But researchers from Black Hills Information Security have learned that threat actors can arti-craft malicious links in the invite leading the victim to fake online poll or questionnaire faking to produce financial incentive. But it in-fact makes the victim spill out the bank account and credit card details.
What is Google’s reaction to its Calendar Vulnerability?
In a statement released today, Google confirmed that it is aware of the security issue in its Calendar App which leads to spam problems. And added that it will soon find a fix to the issue.
How to Mitigate such attack for now
Russian Cybersecurity Firm Kaspersky says that such attacks can be mitigated by simply turning off the automatic adding of Calendar invites from the “Event Setting” menu in Google Calendar and enabling the option “Only show invitations for which I have responded”. Also leaving the “Show Declined Events” in View Options Section as Unchecked also helps. Furthermore, it is advised to validate meetings on a manual note.
Note- The Credential Stealing exploit was brought to the notice of Google in 2017 by two security researchers from Black Hills Information Security. They also demonstrated the same at the Wild West Hackin Fest held in June’18.