This week I noticed a bunch of Google calendar spam events added to my diary which read “Your iPhone XsMax is ready for PickUp” and contained a link to some external website.
Ok. Somebody added events to my calendar which I did not create. Was I hacked? Obviously I first checked who had access to my Google Account and was relieved there hadn’t been any security breach of sorts (phew!).
However adding a calendar event into my diary is definitely something I would consider a very intrusive move considering that this is a feature I heavily use every single day. My calendar is sync’ed up with my phone – hence every event added to it goes right on my screen. Congratulations! You got my attention!
How this Google Calendar Spam Works
Since I am working in the monetisation space this thing caught my interest right way. How can somebody pull this off without having access to my account? I found this thread on reddit where people seemed to have the same problem.
After reading through it I realised that the concept is strikingly simple. It’s just calendar invites. And apparently this is not even a new thing.
All you need is to send an invite to somebody’s inbox and hope that their client (Google, Office 365, etc.) will hoist the event with on rsvp into the calendar. In case of gmail Google doesn’t seem to differentiate between spam and ham. That’s why even though that email is correctly bucketed into the spam folder it won’t keep it from interacting with your diary. Urgh.
Still I think the idea behind that Google Calendar spam is genius!
The Idea Behind the Exploit isn’t all Bad.
If you think of it your calendar is somewhat of a sacred space. It’s mostly controlled by you and people you interact with. It’s definitely not real estate for advertising – at least not that you would naturally thinking of it being one.
At the same time most people are used to significant events automatically being added to their calendars: Flights, hotel stays, car pickup.. The list of capabilities is long and users know and trust the content parsed from their emails. You would normally not object to hotel check-in or flight departure times displayed in your calendar. For many users this is a clear feature and a very welcome reminder that would otherwise have to be created manually.
For those trust reasons – even though I don’t have access to numbers – I would assume that this spam scheme receives a good amount of clicks. Also the amount of work that needs to be done to invade such great screen estate is very low. So: Chapeau for that idea!
How to Protect your Calendar Against Unwanted Invites
One way of making sure these things do not make it into you calendar would be to disable events being added automatically completely. However I would advise against that: You might miss some important updates. A better way is adding only those event’s to which you have responded.
In order to achieve that, head over to your calendar’s settings. You’ll get there by clicking on the three dots when hovering over your calendar in the list on the left side. This will get you into the settings screen below.
Navigate to event settings and pick choose to view only those events to which you have already responded. Just hit the go back arrow on the top left of your screen to return and apply those settings.
Let’s hope that Google will get smarter when it comes to these quirks. Given how easy it was to invade my calendar it really made me wonder why this hasn’t been disabled yet.