Google Calendar users should be careful with how they name their events, or they might just end up sharing them with others. In an attempt to intelligently interpret event names, it appears that Google Calendar will also automatically invite anyone whose email address is mentioned in the title — at times doing so without notifying whoever made the entry.
The biggest risk for some may be awkward situations, not security
As pointed out by developer Terence Eden, who first drew attention to the strange behavior, this can lead to some awkward situations, such as when his wife entered a reminder to email her boss about asking for a raise. While Calendar won't automatically send an email to that person about the event, that person will be able to see the pending invitation inside their own calendar. Eden says that this works with some non-Gmail users too but that it does not occur at all when creating an event on Android — just on the web.
It seems likely that these automatic invitations are occurring unintentionally through Calendar, as the issue only occurs in certain circumstances. When quickly naming an event from the main calendar view, users will be prompted about whether or not they want to invite a person, giving them a chance to deny it. It's only when including an email address from the expanded calendar entry screen that it will automatically invite a named email address to the event. Google does mention the ability to quickly invite others using this method in its documentation for Calendar, but it doesn't explain which of these ways users should expect it to function.
Google tells Eden that it believes "the issue has minimal impact on the security of our users." The issue is likely an uncommon occurrence, though it can certainly end in embarrassing situations. It could also potentially be used to spam another person's calendar with invitations in some cases — by silently filling it up with events — or result in users accidentally exposing their email address and Google+ account. Google didn't immediately respond to our request for comment.
Security issue or not, it's an odd behavior that users probably aren't familiar with. Many are likely aware of Google Calendar's sometimes-frustrating attempts to intelligently interpret event titles though — such as when it pulls times out of the title and puts them into their discrete field — and automatically inviting email addresses appears to be a far more frustrating extension of this. Of course, even if Google doesn't fix it, there's an easy enough fix for Calendar users once they know about the problem: just write in a person's actual name, and save their email address somewhere else.
Update: Google tells us that it's aware of the issue with Calendar and is actively working to fix it.