Adnan Farooqui writes:
Terence Eden is a developer who has discovered a privacy flaw in Google Calendar. He found that Calendar will automatically invite anyone whose email is entered in the title of an entry, even if the user makes that entry in their private calendar and does not plan on inviting anyone else. Invitations are sent without notifying the user.
Read more on UberGizmo. You can find Eden’s original blog post on his blog, here, where he provides this update:
Update 24 January: Google have agreed to fix this bug!
[W]e agree that the behavior you identified is undesirable, and we filed a bug with the Calendar team last week. They’ve been working on changing the behavior to make it clearer that someone has been added to the event in the situation you described.
While we won’t be getting any of the monetary reward from the bug bounty, Google have graciously decided to include us in their Security Hall of Fame.