- Calendar subscriptions can be hijacked, injecting phishing links or malware into user schedules
- Bitsight found 347 domains affecting around 4 million devices, mostly in the United States
- Not a bug, but risky functionality; users must manage subscriptions carefully
A convenient feature in popular calendar applications can be abused to trick people into clicking on malicious links or giving away sensitive information, researchers are saying.
Most popular calendar apps allow users to subscribe to external calendars, allowing third parties, such as businesses or organizations, to add events directly into the subscribers’ schedule. That can be pretty much anything, from discounts and sales events to public events, holidays, and more.
However, if a business shuts down, or their domain expires, the calendar subscription does not expire with it. If a cybercriminal manages to obtain the domain, they can add events directly into people’s calendars, including links to phishing pages, or sites hosting malware. The same goes for businesses whose infrastructure was hijacked or hacked into.
Risky business
This is according to security researchers Bitsight who claim this is a real problem, currently affecting around four million devices, as the attacks abuse the trust people have in different brands and organizations.
“Our research began with a single domain that we sinkholed, recording 11,000 unique IP addresses per day,” the experts said.
“This domain functioned as a server for a subscribed calendar that distributed German public and school holiday events, and that got our attention. Why would a domain for German holidays, with .ics files, be available?”
They ended up discovering 347 domains, including FIFA 2018 events, Islamic Hijri calendars, and others, connected to approximately four million unique IP addresses, most of which were located in the United States.
Bitsight stresses that this is not a vulnerability or a bug in the calendar apps. It is merely a functionality that inherently comes with risks, and as such, they should be managed by the end users. They also said that the four million possible targets is a severe understatement, since it only covers a fraction of the iPhone ecosystem and doesn’t even include Android.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
