99% Of Android Handsets Vulnerable To Zeroday That Leaks User Login Creds

By  |  1 Comment

Researchers at multiple universities are warning that almost all smartphones running Google’s Android software could be allowing 3rd parties access to digital tokens that could allow access to services such as Google Calendar and Contacts.

The issue is, which affects all devices running versions of Android prior to 2.3.3 is related to handling of the authentication protocol ClientLogin. According to researchers at the German University of Ulm the, once a user enters their credentials, the programming interface retrieves its token in plain text. With the token valid for 14 days, a window appears where attackers could use their new found access however they like.

The whole process is pretty easy to exploit too, according to the researchers.

“We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,”

“The short answer is: Yes, it is possible, and it is quite easy to do so.”

This coming after a professor at Rice University demonstrated a similar flaw affecting Facebook, Twitter and once again Google Calendar. This time however the hack could only be carried out on an unsecured Wi-Fi network. Google has since patched the hole in Android 2.3.4 but failed to plug the whole when it comes to Picasa which allows web albums to potentially transmit sensitive data in plain text. Google is working on a fix.

The potential security holes are exacerbated by Android’s fragmentation issues, which causes phones to stay on older outdated software long after their patches have been released. With mobile carriers and device manufacturers constantly meddling with Google’s operating system updates can take months to get past their own software engineers (wtf?). The result is that 99% of Android devices still being wide open to hacks.

Google has recently said it will be working more closely with mobile carriers to try & reduce the time it takes for updates to be rolled out to everyone.

Security has got to be a priority not an after thought. When will companies that handle sensitive user data learn? Hopefully sooner then later.

James Burr is a seasoned Graphic & Web Designer with a decade of experience. A PR Strategist with a deep understanding of Social & New Media. He is also an avid Gamer who favors FPS Games on PlayStation & PC.

1 Comment

  1. Pingback: Google In Process of Fixing Android Auth Token Bug To Stop User Login Credentials Leaking | Burrilliance

You must be logged in to post a comment Login

Leave a Reply