[autoexec]

> An attacker can send malicious calendar invites to the victim that include file attachments...Before fixes were done, I was able to send malicious calendar invitations to any Apple iCloud user and steal their iCloud Photos without any user interaction.

What's the scope of this? Can anyone on macOS anywhere really just send random invites to anyone else who uses icloud? Who would even want that?

[s_dev]

Not to be smart -- but how else would invites work?

[vasco]

How often do you get a calendar invite from a person who you never interacted through email before and don't have in contacts vs the opposite, and actually take the meeting?

[pbhjpbhj]

I, in UK, book things on Eventbrite, they email you with a calendar invite. Same with other booking systems for events IIRC. You can probably add people to an invitation? Maybe if you can exploit such a system then people would have them in their whitelist in any case?

A little adjacent to your question but relevant enough I think.

[ivan_gammel]

This is a regular part of the recruiting process, where you may start chatting in LinkedIn and then get an invite on your email.

[saghm]

If the recruiter doesn't ask me first (or I don't agree to a meeting), this is called "spam", and I would be happy for the system to just not allow it.

[ivan_gammel]

I have never encountered a situation where recruiter starts immediately with an invite without prior conversation (such invite also blocks the time slot of the sender - it would be stupidly ineffective to do that). It is hypothetical and improbable scenario that is not even worth mentioning here.

[saghm]

Okay, so why wouldn't you be able to whitelist them ahead of time then?

[lelandfe]

Often, a coordinator sends the invite - not the recruiter.

[currency]

I've received Apple Calendar invites containing Chinese characters from individuals I've never heard of. I deleted them, but just receiving them was a bit alarming.

[Ekaros]

Not unrealistic as a consultant. My boss sells me to a project. Then clients might be asked to send me the meeting invite to kick things of. I might not have directly communicated with client at any point at this time.

[thephyber]

In a certain way, the Nigerian Prince con artist is a “consultant”…

[cortesoft]

I recently booked a haircut that sent me a calendar invite via email after booking it. I had never interacted with that email before, but I accepted the invite.

[vel0city]

Pretty often at work. I'm often interacting with client/vendor teams or even new people at the company I work for. Probably a few times a week I'll get an invite from someone I have never exchanged an actual email with. Maybe Teams/other chat messages, maybe exchanged information with one of their colleagues, or talked over the phone.

[yardstick]

HR / Recruiter setting up interviews? The person doing the inviting might be different from previous calls/emails.

Customer meetings I get invited to often come from someone I’ve never dealt with before, but include others who I work with who were responsible for bringing me into it.

[saghm]

I think there's a pretty big gap between "people at my company are allowed to add things to my calendar" and "random stranger anywhere in the world can add things to my calendar".

[yardstick]

Neither of the above examples would come from people in my company.

[saghm]

"others who I work with who were responsible for bringing me into it" sounded to me like people at your company, who I assumed would be able to add you to the meetings. I guess I might have been mistaken

[j16sdiz]

Project manager from other team arranging a cross team meeting?

Secretary office admin doing their job?

[vasco]

In-org usually has the whole domain white-listed and the whole organization would normally be auto-synced to your contacts.

[diebeforei485]

There are possible safeguards -- only allowing invites if you are on each other's contact lists, for example, or the same domain, or something else. Apple had a big problem with Calendar spam that they have not really fixed.

[autoexec]

I'd want to whitelist specific people before they could send me a calendar invite. Every other invite request should never reach my device. If I don't even know you, why would I want your invites anyway?

[bongodongobob]

Because you work with people outside of your company, support, vendors, sales people etc.

Boss: Why aren't you in the meeting with our vendor to upgrade our X system?

You: Oh I whitelist all my invites. You see, I am thinking about security and don't want to receive invites from someone I don't know.

Boss: Clear your desk, security will walk you out.

[paperplatter]

The way I understand it now, they attach an invite to an email that you don't even read, but it shows up on your calendar. Is it too much effort to open the attachment yourself? Normally you think twice about opening an attachment from someone you don't know.

[fbrchps]

Or the much more sensible, and MSFT way of handling it (in outlook)

ExternalUser: Hello here is a calendar invite I would like you to attend, please confirm or deny

User: Thank you, now I can verify the request and choose to add this to my calendar or not

[autoexec]

> Because you work with people outside of your company, support, vendors, sales people etc.

If I work with them, I would have them whitelisted. If I've never even heard of them they have no business sending my devices calendar invites.

Boss: Why aren't you working on that project I gave you?

You: Some stranger in Indonesia invited me to a sales meeting instead.

Boss: If I need you to go to a sales meeting with someone from Indonesia I'll tell you to! Clear your desk!

[bongodongobob]

Idk, other members of the third party company get pulled in all the time and might schedule something. I can't imagine using a calendar whitelist or why you'd even want to.

[autoexec]

Well, to eliminate a source of spam, reduce exposure to phishing, and prevent vulnerabilities like the one talked about in the article by reducing attack surface.

If someone is going to make some demand for my time, the very least they can do is give me notice outside of my icloud calendar. An email, an IM, a phone call, etc are all very easy and they allow me to make sure it's real before it has any chance to interfere with my schedule. "Hey Boss, this guy says he's our new IT guy and he wants to talk about my network settings" or "Hey $vendor, I just got a call from $rando saying he's our new contact, can you verify that for me before I tell him everything I know about your propriety applications?"

It helps that I like to keep my work devices and my personal devices entirely separate. If someone in the office wants to pull me into a work meeting through outlook, they'll already have to have an account set up on the company's exchange server. Anyone outside of the company I should already have a relationship with or at least a heads up.

[tsimionescu]

I don't understand, how is receiving a calendar invite different from receiving any other email? Does MacOS automatically do something with calendar invites by design?

[bobbylarrybobby]

Is g cal not the same?

[paperplatter]

I think this isn't specific to iCloud, just in general invites are automatically picked up from emails. Calendar invites have long been a source of spam, so I'm not surprised there's also a vulnerability.