A Web developer named Terence Eden wrote a blog post on how his wife found a peculiar quirk in Google Calendar. Eden’s wife Alice created a private reminder for herself on Google Calendar about asking for a raise. After the private event was created, Alice’s boss sent her an email saying “Meeting Accepted.”
The issue was that Eden’s wife set a private reminder on Google Calendar and put her Gmail address in the subject line, which made it appear in other calendars with Gmail accounts in her contacts. Essentially, it looked like a public meeting.
While this issue could have been worse, Terence reported this privacy flaw to Google and the company’s statement made it clear it didn’t think this was a huge issue for security:
We reviewed your report. After careful consideration by our security team, we feel that the issue has minimal impact on the security of our users. Let us know if you believe that this determination may be incorrect. If you’d submitted your report as part of our reward program, this means it doesn’t qualify for reward or credit. Thanks for your help!
Fortunately, Eden’s blog post notes that they conducted a study of the various issues associated with this and here’s what they found:
- If you use Google Calendar on the Web and put a Gmail address in the subject line, that user will have the event added to the calendar.
- They will not receive an email notification, although they will get a “meeting reminder” pop-up.
- Creating an event on an Android phone does not trigger a meeting request.
- Some non-Gmail addresses will also see the meeting in their calendar, but others will not.
- When you delete a calendar item, the “Cancelation” notification is emailed regardless of whether the user received the original invite.
Watch the video below to see how you can fix this issue.