Android’s Google Authentication is a Hacker’s Delight

[Lee J <lee () riskbasedsecurity com>]

http://www.mensxp.com/technology/smart-phones/20373-androids-google-authentication-is-a-hackers-delight.html

If you've got an Android
device<http://www.mensxp.com/technology/phones/8531-why-switching-to-android-would-be-a-good-thing.html>,
you've probably used Google's handy one-click authentication shortcut, that
handy little button that lets you sign into various Google service sites
without having to enter your password. It's super convenient! For you and
for hackers<http://www.mensxp.com/technology/phones/5187-using-a-smartphone-beware-of-a-hack-attack.html>
.

Craig Young, a researcher at security firm Tripwire, did some digging into
how the system really works, and turned up some scary details in a
presentation last week. The underlying system-called "weblogin"- works by
creating a special token that identifies you to various Google services.
But it can be stolen easily, and when it is, it'll work for just about
anything.

Young created a proof-of-concept app that pretended to be for viewing
stocks, while in actuality it would steal a user's Google Finance login
token and test it against other Google
services<http://www.mensxp.com/technology/internet/8882-how-google-is-taking-over-the-world.html>
like
Google Apps, Gmail, Drive, Calendar, Voice. And when Young put the app on
the Play Store-clearly labelled in the description as dangerous-it
persisted for months, either unscanned (bad) or scanned and OKed (worse!)
by Google's anti-malware system: Bouncer.

The vulnerability was reported to Google back in February, but since then
only parts of the breach have been fixed, like full rips of account
information via Google Takeout. Stolen tokens are still plenty useful for
rifling through someone's Gmail though, or checking out the contents of
their Drive.

Until there's some sort of fix, it's probably wise to avoid one-click
authentication, convenience be damned. That means saying "no" if you get
any permission requests that mention "weblogin". It's a bummer, but good
security usually makes for some inconvenience, so be wary of the one-click
option, now and in general. And never, ever forget that even Play Store
apps might be trying to eat its way into your personal account information.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.