Way back in 2017, two researchers at Black Hills Information Security disclosed how a vulnerability in the Google Calendar app was leaving more than a billion users open to a credential-stealing exploit. Google apparently didn’t fix this at the time as it would have caused “major functionality drawbacks” for Calendar users, despite those researchers demonstrating how they had weaponized the vulnerability at the Wild West Hackin’ Fest.

Fast-forward to June 11, 2019, and I reported how the vulnerability was still putting 1.5 billion Gmail users at risk. A Google spokesperson responded to my story by insisting that “Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse.” That statement went on to say that Google offers “security protections for users by warning them of known malicious URLs via Google Chrome’s Safe Browsing filters.” Now, it seems, Google is finally taking this security problem somewhat more seriously.

How does the Google Calendar attack work?

Gmail users are finding themselves on the wrong end of a sophisticated scam which leverages misplaced trust through the use of malicious and unsolicited Google Calendar notifications.

Google Calendar allows anyone to schedule a meeting with you, and Gmail is built to integrate tightly with this calendaring functionality. Combine these two facts and users find themselves in a situation whereby the threat actor can use this non-traditional attack vector to bypass the increasing amount of awareness amongst average users when it comes to the danger of clicking unsolicited links.

Full coverage @ Forbes.com