In a bid to enhance the collaboration and socialization aspects of Google Calendar, the Google Calendar team recently added the functionality to “Search and Add Events from the Web“. According to the official site:
Now you can search the web for events and add them directly to your Google Calendar. Within Google Calendar, type an event search into the search box like “Symphony in San Francisco” and click “Search Public Events”. You’ll see a list of events that you can easily add to your Google Calendar.
Users can also click on the event listing to see a map of where the venue is located and the corresponding times at which the event occurs. The event could be added to your calendar by clicking on the time of the event and selecting “copy to my calendar”.
As it turns out that there is a huge population of users, who create a reminder for an event and leave the login and credentials in the reminder as well. This reminder is often set to public viewing to share the event with friends or colleagues, not knowing that it could be viewed by anyone on the face of the planet. Want to view some passwords? just type “user password” in the search box and click “Search Public Events” button. Of course you can try out other wicked options to see what turns up.
I wont blame the users on this, because not all of us are computer scientists who could figure these things out, but on Google itself. Firstly for not thinking through the feature they implemented, and secondly for not educating the users about it. For a company that plans to search your thoughts and make them accessible to you, this is a big mistake.
Update: I have been informed that its silly on part of the users, to try and share such information with friends and colleagues, specially when Google explains the consequences in a warning. Take a quick look at the warning message:
This is the same “Are you sure you want to delete this” message that we come across on Windows, while trying to delete a file. Users are so accustomed to this “Are you sure…” message that no one even bothers to read it completely, let alone pause for a while and think about it. Try logging into a Google Account with the userid:”seanbray4” and password:”chomsky“, yup thats the top search result in the snapshot above. Entire Google Accounts, including Adsense, Gmail, Calendar and other services, of uninformed users have been compromised. Scary stuff to say the least. Read this compuworld article to know how sensitive corporate data is getting leaked via this feature. May be Google should hire a Usability Expert or a Behavioral Psychologist to educate them on how users respond to warning messages.
[via]
5 Trackbacks / Pingbacks for this entry:
[...] Startup Meme and Chris Pirillo report that quite a few people have made login credentials of theirs public via Google Calendar event descriptions, which can now be found by searching for public events for e.g. “username password�. When you create a calendar with Google, you have the options “do not share with everyone� (default) and “share all information on this calendar with everyone� (which additionally triggers a confirmation dialog). However, when people add certain events to public calendars, it may be that they’ve forgotten they once made the calendar public. Maybe Google needs to put a more visible icon next to public calendars as a reminder, or always trigger a confirmation when you add an event to a public calendar, but this is not a Google Calendar security vulnerability – it’s user misconfiguration, similar to when you e.g. create a blog post with information that ought to be secret, and then someone searches Google for “password username�. [...]
[...] Google Calendar Nightmare Release As it turns out that there is a huge population of users, who create a reminder for an event and leave the login and credentials in the reminder as well. This reminder is often set to public viewing to share the event with friends or colleagues, not knowing that it could be viewed by anyone on the face of the planet. Want to view some passwords? just type “user password� in the search box and click “Search Public Events� button. Offcourse you can try out other wicked options to see what turns up. [...]
[...] Startup Meme and Chris Pirillo report that quite a few people have made login credentials of theirs public via Google Calendar event descriptions, which can now be found by searching for public events for e.g. “username password�. When you create a calendar with Google, you have the options “do not share with everyone� (default) and “share all information on this calendar with everyone� (which additionally triggers a confirmation dialog). However, when people add certain events to public calendars, it may be that they’ve forgotten they once made the calendar public. Maybe Google needs to put a more visible icon next to public calendars as a reminder, or always trigger a confirmation when you add an event to a public calendar, but this is not a Google Calendar security vulnerability – it’s user misconfiguration, similar to when you e.g. create a blog post with information that ought to be secret, and then someone searches Google for “password username�. [...]
[...] was at the center of a controversy, whereby important Corporate data got leaked as a result of users storing their ids and passwords in the calendar that were made [...]
[...] Startup Memeå’ŒChris Pirillo报 告:很多人通过“username passwordâ€?ç‰å…³é”®è¯?å?¯ä»¥æ?œç´¢åˆ°Google日历事件。Google有两个选项,一个是默认的ä¸?å…±äº«ï¼Œä¸€ä¸ªæ˜¯å…±äº«ã€‚æ˜¾ç„¶ï¼Œå½“ç”¨æˆ·æ·»åŠ æ–° 事件的时候,往往忘了这个日历是公开的。å?¯èƒ½Google需è¦?æ·»åŠ æ›´å¤šçš„å›¾æ ‡æ?¥æ??é†’ç”¨æˆ·ï¼Œæˆ–è€…æ·»åŠ æ–°äº‹ä»¶çš„æ—¶å€™æ??醒一下。这ä¸?是Google日历的弱点, 类似于在å?šå®¢ä¸Šå?‘布秘密信æ?¯ï¼Œå½“然å?¯ä»¥è¢«æ?œç´¢åˆ°äº†ã€‚ [...]