Unauthorised Accessing of Google Calendar Invites

Unauthorised Accessing of Google Calendar Invites


Google Calendar, a common and very well known feature that everyone uses for scheduling and organising meetings within an organisation that uses "Google for Work".

The Bug!
Failure to restrict the access to unauthorised personal.

Story,
While scheduling a meeting with my work team to present a demo, I came across the functionality in Google calendar to add groups as guest. Once a group is added, Calendar will automatically expands the group and adds all members to the meeting. While doing so, it prompts the organiser if (s)he wants to send the meeting invites to the guest list.

Once the meeting is scheduled, all the meeting invitations will actually be sent from the user/organiser's mail account. That means, once you schedule a meeting, if you go and check your sent mail box, we can find all the meeting invites that were sent to all the guest.

Figure: sent mail box with target mail

So far, its just a feature. But once we open any meeting invite from sent mail folder, the invitation contains a link which actually generated for the target user to open.

Figure: sent mail with hardcoded link

But since, we already have the link with us, if we open it in browser, we can actually perform the actions designated for the target user. That means, we can approve/reject the invitations.

Figure: link page with target user's options

Figure: link page with target's post accept message

Once we perform any action from the link, all the actions will be reflected from the target user;s mail account. Which means, if you accept/reject the invitation, there will be a mail sent from target mail account to your account automatically saying accepted/rejected the invitation.

Figure: mail received from target's account

Also, it is observed that these links will never expire, hence you can always modify your/someone else's actions.

Conclusion!
Now we can invite anyone and approve or reject their calendar invite without their consent. In other words, you can schedule a meeting with your CEO and make him accept the invite, whenever you wanted.

Responsible Disclosure!

  • Issue is reported to Google VRP
  • Issue marked as expected behaviour; won't fix?

Video PoC?
since the issue is effecting Google for Work calendar, it is difficult to provide a video POC openly without disclosing sensitive information on the mail box.

Since the issue is a "Won't Fix" from google side, you can always go and try your self (at your own risk though).

Comments

Popular posts from this blog

Cross Site Scripting Filter Bypassing using Header Injection (CRLF).....

Multiple Vulnerabilities in eFront CMS v3.6.15.4

Cross Site Scripting through callback functionality