- Calendar subscriptions can be hacked, with links to phishing or malware inserted into users’ programs.
- Bitsight has discovered 347 domains affecting approximately 4 million devices, primarily in the United States.
- It is not a bug, but a risky feature; Users should manage their subscriptions carefully.
A useful feature in popular calendar apps can be abused to trick people into clicking malicious links or revealing sensitive information, researchers say.
Popular calendar apps allow users to subscribe to external calendars, which allows third parties, such as businesses or organizations, to add events directly to subscribers’ calendars. It can be anything from discounts and sales to public events, holidays and more.
However, if a company goes out of business or your domain expires, your calendar subscription will not expire at the same time. If a cybercriminal gains access to the domain, they can insert events directly into users’ calendars, including links to phishing pages or websites that host malware. The same applies to companies whose infrastructure has been hijacked or hacked.
Risky business
According to security researchers, it is. Bitsight According to them, this is a real problem that currently affects around four million devices, as attacks abuse people’s trust in various brands and organizations.
“Our research started with a single domain that we registered and registered 11,000 unique IP addresses per day,” the experts said.
“This domain served as a server for a subscription calendar that distributed school events and German holidays and this caught our attention. Why would a German holiday domain be available with .ics files?”
In the end, they discovered 347 domains, including FIFA 2018 events, Islamic Hijri calendars and others, associated with around four million unique IP addresses, most of them in the US.
Bitsight emphasizes that this is not a vulnerability or bug in calendar applications. This is simply a feature that carries risks and must therefore be managed by end users. They also said the four million possible targets are insufficient because they only cover a fraction of the iPhone ecosystem and don’t even include Android.