Terence Eden is a developer who has discovered a privacy flaw in Google Calendar. He found that Calendar will automatically invite anyone whose email is entered in the title of an entry, even if the user makes that entry in their private calendar and does not plan on inviting anyone else. Invitations are sent without notifying the user. The recipient does not receive an email notification, however a “meeting reminder” pops up, which might cause some awkward situations even if it doesn’t have major security implications. For example, if a user creates an entry in their private calendar that reads “email firstname.lastname@example.org and ask for a loan,” Mr. Adam will receive an invitation and will therefore know that he’s going to be requested for a loan.
After initially discovering this flaw, Eden tried several times to recreate the behavior and found a couple of interesting things. The flaw only exists if an entry is created using Google Calendar on the web, it doesn’t have any effect if the entry is created using an Android smartphone or tablet. Its not limited to Gmail addresses, and even some non-Gmail addresses will see the meeting request in their calendar. If the user tries to delete the calendar entry, the recipient will be notified about the cancellation regardless of whether they received the initial invite or not. Eden reproted it to Google, and the company said that “careful consideration” by its security team led to the conclusion that this falw has little to no impact on the security of its users. That may be true to an extent, but this flaw does reveal the user’s Gmail address, which leads to their Google+ profile if they have one, which could then lead to other potential sources of private information that someone might not want to share with a casual acquaintance.