Apple’s iCal calendar app enables users to send event invitations via email lists. These then show up as calendar notifications that allow you to quickly add the event to your calendar.
iCal can scan email to detect calendar invitations, looking for things like locations and times that suggest the message refers to a specific event. This automatic monitoring opens the system to abuse, enabling malicious actors to distribute spam events in the same way as spam email.
This isn’t the first time that iCal has been hijacked. It’s been an ongoing issue for a few years but has become more serious in the past month. Before last week’s Black Friday sales events, iPhone owners noticed multiple invitations to discounts on big brands and designers were appearing in iCal.
Accepting the invitation adds it to your calendar. Rejecting it will delete it but does not solve the problem. Either action signals to the spammer that the notification has been received and responded to, confirming the email address is active and used by a real person. More spam events are then distributed in the same way.
The problem derives from how Apple stores calendar events in its iCloud cloud storage. Even if you reject an invitation, the event is still held online. One cybersecurity expert suggested Apple should implement an “Ignore” button that dismisses the notification without alerting the person who sent it.
“Because the calendar and photo sharing is mirrored to the cloud — even if you say you don’t want to go it still keeps a copy in the cloud,” Professor Alan Woodward of Surrey University told the BBC. “You can turn the iCloud off, but that defeats the object of having it, or you can use a complicated work around. What they really need is an ‘ignore’ button.”
iPhone users who are affected by the problem have two options to delete calendar events without notifying the sender. The first is to create a new calendar and drag the event into it, without first responding to it. The new calendar should then be immediately deleted. The multi-stage procedure is time-consuming if multiple messages are received, however.
The alternative is to change the behaviour of iCloud’s automatic email monitoring. By signing into iCloud.com and opening Calendar, it’s possible to set the monitors to create email messages instead of calendar invitations. This is found in the “Advanced” settings page under the “Invitations” panel.
Apple is yet to officially respond to the issues. The spam has been documented on forums and discussion boards for several months though, suggesting Apple is aware of what’s going on. So far, the company has taken no action, allowing users to be plagued by spam notifications during the busiest shopping period of the year.
