Events added from Thunderbird are publicly visible

[dominique-unruh]

Describe the problem and steps to reproduce it:

When I add an event from an invitation, it has public visibility in Google calendar.

Steps:

• Select an invitation email to an event. (Those I get are often from Outlook/Exchange)
• Click on the "Accept" button in the bar over the email.
• Open the Google calendar and check the event details.
• Visibility level is "Public" (not "Private" or "Default visibility")

What happened?

The event is visible to everyone who has a link to the calendar, even if they were only given a link to the free/busy view.

What did you expect to happen?

Events are created with "Default visibility" (or it should be configurable).

Anything else we should know?

[kewisch]

Hi Dominique, thanks for reporting. Could you add some logging info with logging enabled, during the time the event is imported into your calendar, and maybe attach the redacted .eml from the invitation?

[dominique-unruh]

I needed to wait till I got another invitation (each can be used only once).
To my surprise, this time the problem did not occur.
I will experiment to see if I can recover the original situation. (This may take a while because I can try each invitation only once because it can be added only once.)

[dominique-unruh]

I reproduced the problem. A sanitized log is attached.

console-export-2024-5-27_16-28-0.txt

The bug did not occur when I had created a local Thunderbird calendar, and two Google calendars. and added an event to the first of the Google calendars.

But when I deleted the local calendar (only the two Google calendars left), the bug occurred when adding to the first calendar.

Of course there might be other variables that changed between the two experiments.

[kewisch]

Can you also attach or check the actual invitation email sources? If the contained event has CLASS:PUBLIC, then this will be considered a public event and that setting will propagate to your Google Calendar.

[dominique-unruh]

You are right! The event did contain CLASS:PUBLIC:

sanitized.ics.txt

I'm not attaching the whole email here because it was too difficult to sanitize. I added the base64-decoded ICS from the mail source. I assume it comes from creating an invite from an MS Exchange calendar or similar. One of the headers in the mail is:

x-ms-exchange-calendar-series-instance-id: XXXXXXXXXXXXXXXXX (sanitized base64-looking string)

So it seems clarified why the calendar events are public. But this leaves the question whether they should be public. I can't see a good reason why the inviting person should control the visibility of an event in the invited person's calendar. And additionally, I assume that this is not done intentionally, but is a bug (or at least strange behavior) of MS Exchange.

Since it is unlikely that we can get MS to fix that, I think the best would be to add all event with the default visibility (i.e. strip out the CLASS:PUBLIC). Otherwise there is a high risk of leaking confidential information.

[kewisch]

What happens if you accept the event from within the Gmail web UI? Is the imported event public or default?

[dominique-unruh]

I copied the email to a GMail account via IMAP (since my normal account that gets calendar invites is not GMail).

I do not get a UI element for accepting, only this:

[kewisch]

There need to be a few values set w.r.t. organizers, attendees, and some headers, if this doesn't match it won't show. Maybe you could replicate as follows:

1. From an outlook account, making sure it sends CLASS:PUBLIC, invite your gmail account directly.
2. Instead of through Thunderbird, go to the gmail web ui and accept the event.
3. Subscribe to the Google Calendar and check what the properties of the new event are.

[dominique-unruh]

I managed to follow those steps.

1. I created an event from Outlook Web and invited my Google Account.
2. I decoded the base64-encoded .ics file from the message source. It contains CLASS:PUBLIC.
3. I clicked "yes" in GMail when it asked how I want to respond to the event.
4. I checked in my Google calendar. The event said "default visibility"
5. I exported the calendar to .ics (via the private link), and searched for the event. It does not contain any CLASS:

(XXXXXXX marks privatized parts in the snippets below)

The base64-decoded event was:

BEGIN:VCALENDAR
METHOD:REQUEST
PRODID:Microsoft Exchange Server 2010
VERSION:2.0
BEGIN:VTIMEZONE
TZID:(UTC+01:00) Amsterdam\, Berlin\, Bern\, Rome\, Stockholm\, Vienna
BEGIN:STANDARD
DTSTART:16010101T030000
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=10
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:16010101T020000
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=3
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
ORGANIZER;XXXXXXXXXXXXXXXXXXXX
ATTENDEE;XXXXXXXXXXXXXXX
DESCRIPTION;LANGUAGE=en-US:\n
UID:040000008200E00074C5B7101A82E008000000009656524061C9DA01000000000000000
 0100000003DA3CAD1612AAB4385EDBF4A67A19BC0
SUMMARY;LANGUAGE=en-US:Test cal
DTSTART;TZID="(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna":2
 0240628T160000
DTEND;TZID="(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna":202
 40628T170000
CLASS:PUBLIC
PRIORITY:5
DTSTAMP:20240628T134942Z
TRANSP:OPAQUE
STATUS:CONFIRMED
SEQUENCE:0
LOCATION;LANGUAGE=en-US:
X-MICROSOFT-CDO-APPT-SEQUENCE:0
X-MICROSOFT-CDO-OWNERAPPTID:2122769302
X-MICROSOFT-CDO-BUSYSTATUS:TENTATIVE
X-MICROSOFT-CDO-INTENDEDSTATUS:BUSY
X-MICROSOFT-CDO-ALLDAYEVENT:FALSE
X-MICROSOFT-CDO-IMPORTANCE:1
X-MICROSOFT-CDO-INSTTYPE:0
X-MICROSOFT-DONOTFORWARDMEETING:FALSE
X-MICROSOFT-DISALLOW-COUNTER:FALSE
BEGIN:VALARM
DESCRIPTION:REMINDER
TRIGGER;RELATED=START:-PT15M
ACTION:DISPLAY
END:VALARM
END:VEVENT
END:VCALENDAR

The event exported from the calendar was

BEGIN:VEVENT
DTSTART:20240628T140000Z
DTEND:20240628T150000Z
DTSTAMP:20240628T135331Z
ORGANIZER;XXXXXXXXXXXXXXXX
UID:040000008200E00074C5B7101A82E008000000009656524061C9DA01000000000000000
 0100000003DA3CAD1612AAB4385EDBF4A67A19BC0
ATTENDEE;XXXXXXXXXXXX
ATTENDEE;XXXXXXXXXXXXXX
ATTENDEE;XXXXXXXXXXXXX
CREATED:20240628T134942Z
DESCRIPTION:\n
LAST-MODIFIED:20240628T135018Z
SEQUENCE:0
STATUS:CONFIRMED
SUMMARY:Test cal
TRANSP:OPAQUE
X-MICROSOFT-CDO-INSTTYPE:0
X-MICROSOFT-CDO-APPT-SEQUENCE:0
X-MICROSOFT-CDO-ALLDAYEVENT:FALSE
X-MICROSOFT-CDO-OWNERAPPTID:2122769302
X-MICROSOFT-CDO-INTENDEDSTATUS:BUSY
X-MICROSOFT-DISALLOW-COUNTER:FALSE
X-MICROSOFT-DONOTFORWARDMEETING:FALSE
X-MICROSOFT-CDO-IMPORTANCE:1
X-MICROSOFT-CDO-BUSYSTATUS:TENTATIVE
END:VEVENT
END:VCALENDAR

[kewisch]

Alright, thanks. I'd consider this an enhancement to remove certain props for invitations, but acknowledging it would be great to have!