Google Calendar Exploit

| Exploit | Google

Whilst using Google Calendar I noticed an interesting feature, which I’m unsure if it should be there are not. I’ve contacted google twice about this bug but never received a reply. So I figured I would post about it here.

When creating a Google Calendar you may share the calendar with your friends and allow them to alter it. You do this by clicking “Share this calendar” and then typing in their email address. I noticed something odd when I typed in a friend’s Gmail address and clicked “Add Person”. His name appeared next to the newly entered email address. I thought this might be because I previously spoke to this person via email, or he was a friend on GTalk.

I asked around and collected a selection of address which I had never contacted or even seen before. I entered each one, and sure enough their owner’s names appeared! Then I tried to enter invalid Gmail addresses, and sure enough those were accepted, but did not display any name.

I think this is a very simple way to obtain information from a email address, and to even test if the email exists or not. Hopefully this isn’t a feature and in fact Google made a mistake.

comments powered by Disqus