Google has finally taken steps to prevent an annoying and potentially dangerous type of attack that could let threat actors add unwanted invitations to the calendar.
A stranger’s ability to add an unwanted invitation in the Google Calendar could not only force users to deal with invitation notifications all the time, it also represents a security risk. Criminals can use this attack to trick people into accessing phishing websites or even to install malware, which is a good reason for Google to fix it. Unfortunately, some people want to have the invitations automatically added, and entirely disabling the option would have punished them.
The company added two options for users. They can have invitations automatically added, or they can have them automatically added if the user RSVP’d in the email event invitation.
“These additional controls can help you manage your calendar with less manual work by ensuring unwanted events don’t appear, and you see only the events that are important to you,” said the company in a blog post.
These new options create a few additional scenarios, which need to be accounted for, as explained by Google:
· If you choose to only have events added if you RSVP, you’ll see an additional option to allow those who have permission to view or edit your events to see all invitations.
· When you change the setting, it only determines whether future events are added to your calendar. Any events that are already on the calendar will remain visible unless you delete them.
· If you choose to only add events when you RSVP, you’ll receive an email invitation to all events, even if the organizer chooses not to send one. This will help prevent you from missing events. Note that this doesn’t apply to updates, only to invitations.
· We’ve moved the notification option (“Yes, but only notify me if I’ve responded Yes or Maybe”) into the notifications section to help you better manage when you get notifications.
Also, the option is set to OFF by default, so users have to enable it from the Google Calendar settings. The rollout has already begun, and it will be deployed to all users in the coming weeks.