BreachExchange mailing list archives
Android’s Google Authentication is a Hacker’s Delight
From: Lee J <lee () riskbasedsecurity com>
Date: Mon, 16 Sep 2013 16:56:37 +1000
http://www.mensxp.com/technology/smart-phones/20373-androids-google-authentication-is-a-hackers-delight.html If you've got an Android device<http://www.mensxp.com/technology/phones/8531-why-switching-to-android-would-be-a-good-thing.html>, you've probably used Google's handy one-click authentication shortcut, that handy little button that lets you sign into various Google service sites without having to enter your password. It's super convenient! For you and for hackers<http://www.mensxp.com/technology/phones/5187-using-a-smartphone-beware-of-a-hack-attack.html> . Craig Young, a researcher at security firm Tripwire, did some digging into how the system really works, and turned up some scary details in a presentation last week. The underlying system-called "weblogin"- works by creating a special token that identifies you to various Google services. But it can be stolen easily, and when it is, it'll work for just about anything. Young created a proof-of-concept app that pretended to be for viewing stocks, while in actuality it would steal a user's Google Finance login token and test it against other Google services<http://www.mensxp.com/technology/internet/8882-how-google-is-taking-over-the-world.html> like Google Apps, Gmail, Drive, Calendar, Voice. And when Young put the app on the Play Store-clearly labelled in the description as dangerous-it persisted for months, either unscanned (bad) or scanned and OKed (worse!) by Google's anti-malware system: Bouncer. The vulnerability was reported to Google back in February, but since then only parts of the breach have been fixed, like full rips of account information via Google Takeout. Stolen tokens are still plenty useful for rifling through someone's Gmail though, or checking out the contents of their Drive. Until there's some sort of fix, it's probably wise to avoid one-click authentication, convenience be damned. That means saying "no" if you get any permission requests that mention "weblogin". It's a bummer, but good security usually makes for some inconvenience, so be wary of the one-click option, now and in general. And never, ever forget that even Play Store apps might be trying to eat its way into your personal account information.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Android’s Google Authentication is a Hacker’s Delight Lee J (Sep 17)