0x0e.org | pentesting perspective

braindump on pentesting, QA, metasploit, constant learning

Google Calendar Search for Fun & Profit

with 2 comments

In the same vein as the earlier post on searching for vulnerabilities with Google Code Search, I realized tonight that you can search for private calendars on Google Calendar Search by simply typing ‘private’ in the search box. You’ll be surprised by how many results you get (960 at time of writing).

With such nuggets as:

What

Presentation in Bern [work]

When

Mon Sep 1 12pm – Mon Sep 1 4pm
20080901T120000/20080901T160000

Where

Created By

Michel

It’s certainly not a great deal of work to trace other public details, and find out exactly who this might be.  Interestingly, he’s also praying at 1AM today, and rowing at 2PM. He looks to be a bit worried about his skills.

This post ties closely to an observation made by stan over at n0where.org. What if a bank were able to access your calendar while you were planning to make a week-long trip to vegas? Do you think they’d still be eager to give you that home-loan? Food for thought, no?

UPDATE 09/02/08:
Google: John Gomez! Are you really sure you want to share this with the world?
John Gomez: *clicks yes*
Google: Are you sure??
John Gomez: just do it, it’s handy!
Google: Okay, but don’t say I didn–
John Gomez: DO IT!
Google: fine. idiot.
[Except this doesn’t happen, and people have NO IDEA they’re sharing this info most likely]

Delta Air Lines #616, 01:15 PM PDT

WhenFri, Sep 26, 4:15pm – 10:01pm
WhereSFO – JFK (map)
Description Record Locator: MXNYGI Flight: Delta Air Lines #616 Confirmation: CYT0L0 Departure Location: San Francisco International Airport (SFO) Departure Time: Friday, September 26 at 01:15 PM PDT Departure Terminal: 1 Arrival Location: John F. Kennedy International Airport (JFK) Arrival Time: Friday, September 26 at 10:01 PM EDT Arrival Terminal: 3
UPDATE (09/02/08) (2):
Looks like our boy John is in good company at least… 680 results for the term ‘Record Locator.’ Ouch.
So how do you take advantage of this?
– Impersonate them
– Break into their house / steal their car while they’re away
– Frame them for a crime happening in their vicinity
– Call the airport, impersonate an authority (you’ve got all the details, right?.. right.)

Out of curiosity, is anyone doing a taxonomy of real-world attacks? The final attack listed above is analogous to a DOS attack, but these are all straight-forward. I’d love to see a taxonomy of possible ways to exploit a piece of information (vulnerability).

Advertisements

Written by jcran

September 2, 2008 at 4:24 AM

2 Responses

Subscribe to comments with RSS.

  1. This kind of thing could be leveraged by big business by tracking staff for a competing company. By checking when the competition are headed for a meeting and canceling their tickets, taxi, hotel, or just calling them to say it’s cancelled. Possibly even taking it to the next level by turning up at the client and pretending to be them at the scheduled meeting.

    A social engineers dream…

    ChrisJohnRiley

    September 2, 2008 at 6:50 AM

  2. @Chris

    Good point. Lots of opportunities here for a competing business.

    I think attacks are quite simple (read: opportunistic) at the moment because of the relatively small number of shared calendars, but imagine if someone were able to have google-level access to ALL calendars.

    If i were a competing entity to google (and who isn’t these days?) i certainly wouldn’t want to keep my data in the google.

    jcran

    September 2, 2008 at 12:43 PM


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: