No announcement yet.

Eugene Lim - You Have One New Appwntment - Hacking Proprietary iCalendar Properties

  • Filter
  • Time
  • Show
Clear All
new posts

  • Eugene Lim - You Have One New Appwntment - Hacking Proprietary iCalendar Properties

    Eugene Lim - You Have One New Appwntment - Hacking Proprietary iCalendar Properties

    Eugene "spaceraccoon" Lim, Cybersecurity Specialist, Government Technology Agency of Singapore, He/Him

    Presentation Title: You Have One New Appwntment - Hacking Proprietary iCalendar Properties
    Length of presentation: 45 minutes
    Demo, Tool, Exploit

    Abstract: First defined in 1998, the iCalendar standard remains ubiquitous in enterprise software. However, it did not account for modern security concerns and allowed vendors to create proprietary extensions that expanded the attack surface.

    I demonstrate how flawed RFC implementations led to new vulnerabilities in popular applications such as Apple Calendar, Google Calendar, Microsoft Outlook, and VMware Boxer. Attackers can trigger exploits remotely with zero user interaction due to automatic parsing of event invitations. Some of these zombie properties were abandoned years ago for their obvious security problems but continue to pop up in legacy code.

    Furthermore, I explain how iCalendar’s integrations with the SMTP and CalDAV protocols enable multi-stage attacks. Despite attempts to secure these technologies separately, the interactions that arise from features such as emailed event reminders require a full-stack approach to calendar security. I conclude that developers should strengthen existing iCalendar standards in terms of design and implementation.

    I advocate for an open-source and open-standards approach to secure iCalendar rather than proprietary fragmentation. I will release a database of proprietary iCalendar properties and a technical whitepaper.

    Biography: Eugene (spaceraccoon) hacks for good! At GovTech Singapore, he protects citizen data and government systems through security research. He also develops SecOps integrations to secure code at scale. He recently reported remote code execution vulnerabilities in Microsoft Office and Apache OpenOffice and discussed defensive coding techniques he observed from hacking Synology Network Attached Storage devices at ShmooCon.

    As a bug hunter, he helps secure products globally, from Amazon to Zendesk. In 2021, he was selected from a pool of 1 million registered hackers for HackerOne's H1-Elite Hall of Fame. Besides bug hunting, he builds security tools, including a malicious npm package scanner and a social engineering honeypot that were presented at Black Hat Arsenal. He writes about his research on

    He enjoys tinkering with new technologies. He presented "Hacking Humans with AI as a Service" at DEF CON 29 and attended IBM's Qiskit Global Quantum Machine Learning Summer School.


    1. @exandroiddev, "Phishing with fake meeting invite", 2021.
    2. Diana Lopera, "PhishINvite with Malicious ICS Files", 2020.
    3. Andy Grant, "Exploring macOS Calendar Alerts: Part 1 – Attempting to execute code", 2020.
    4. Andy Grant, "Exploring macOS Calendar Alerts: Part 2 – Exfiltrating data (CVE-2020-3882)", 2020.
    5. Ryan Picken, "Hacking the Apple Webcam (again)", 2022.
    6. Mickey Jin, "CVE-2022-22616: Simple way to bypass GateKeeper, hidden for years", 2022.
    7. Fabrian Braunlein and Lukas Euler, "Windows 10 RCE: The exploit is in the link", 2021.
    8. Sarah Edwards, "Manual Analysis of NSKeyedArchiver Formatted Plist Files - A Review of the NEW OS X 10.11 Recent Items", 2016.
    9. Inti de Ceukelaire, "You've got pwned: exploiting e-mail systems", 2020.

    Last edited by number6; June 18, 2022, 14:02.