Find public google calendar

Today I learned how to look for public calendars with a list of email addresses. #infosec #recon

Add this to your recon pipeline

After finding or generating a list of email addresses of your target, using the following URL it is possible to access the users calendar in caseit was set to allow public access:

https://calendar.google.com/calendar/u/0/htmlembed?src=email@address.com

This of course can be automated:

while read in; do resp=$(curl -s -o /dev/null -w "%{http_code}" "https://calendar.google.com/calendar/u/0/htmlembed?src=$in") && echo "$in - $resp"; done < emails.txt

This little script takes the content of emails.txt, sends each line to the above mentioned URL and prints the resulting http status code. The output will look like the following:

email1@target.com - 200
email2@target.com - 404

The second column displays the http status code. 200 means you should take a closer look.

Don’t allow public access (unless you know what you’re doing)

Some add-ons ask for public access in order to be able to interact with a google calendar. For specific calendars, this might be necessary, but opening up the personal calendar most likely is not the best idea. With public access, an attacker gains access to contact information inside calendar entries or access codes to video-calls or customer information.

To check that a calendar is in fact not public, verify under Googles Calendar and check the individual calendar sharing settings. Per default this is private, but better be safe than sorry.