- Calendar subscriptions can be hijacked, inject phishing links or malware into user plans
- Bitsight found 347 domains affecting about 4 million devices, mostly in the United States
- Not a bug, but risky functionality; users must manage subscriptions carefully
A handy feature in popular calendar applications can be misused to trick people into clicking on malicious links or giving away sensitive information, researchers say.
Most popular calendar apps allow users to subscribe to external calendars, allowing third parties such as businesses or organizations to add events directly to subscribers’ schedules. It can be pretty much anything, from discounts and sales events to public events, holidays and more.
However, if a business shuts down or their domain expires, the calendar subscription will not expire with it. If a cybercriminal manages to obtain the domain, they can add events directly to people’s calendars, including links to phishing pages or websites that host malware. The same applies to companies whose infrastructure was hijacked or hacked into.
Risky business
This is according to security researchers Bitsight, who claim that this is a real problem currently affecting around four million devices, as the attacks abuse the trust people have in various brands and organizations.
“Our research began with a single domain that we sank and recorded 11,000 unique IP addresses per day,” the experts said.
“This domain was acting as a server for a subscriber calendar that distributed German public and school holiday events, and it got our attention. Why would a domain for German holidays with .ics files be available?”
They ended up discovering 347 domains, including FIFA 2018 events, Islamic Hijri calendars and others, associated with approximately four million unique IP addresses, most of which were located in the United States.
Bitsight emphasizes that this is not a vulnerability or bug in the calendar apps. It is just a functionality that inherently comes with risks and as such should be managed by the end users. They also said that the four million possible target is a serious understatement, as it only covers a fraction of the iPhone ecosystem and doesn’t even include Android.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
