The vast majority of devices running Google’s Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant’s servers, university researchers have warned.
The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier, the researchers from Germany’s University of Ulm said. After a user submits valid credentials for Google Calendar, Contacts and possibly other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.
“We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,” the researchers in the university’s Institute of Media Informatics wrote on Friday. “The short answer is: Yes, it is possible, and it is quite easy to do so.”
The researchers’ findings are pretty damning. Although Google has supposedly released a patch to address the problem, it has only been made available for newer versions of Android. 99% of the Android devices currently in use run a version that hasn’t been patched. Android users are being advised to avoid public wi-fi networks to mitigate this incredibly serious problem.
But it’s unlikely that most of the people walking around with Google spyware-laden phones and tablets have even heard about this issue, or could taken action even if they knew (Google’s deals with major mobile carriers give them control over updates to Android devices, which prevents the Monster of Mountain View from delivering all updates directly to users).
For all of its sins, Apple at least refuses to allow carriers to have any say in when and how iOS updates are delivered. That’s not to say that the proprietary business model Apple has built is a good thing, but users should be able to update software for their devices when it is available, and it should be their choice. Smartphones and tablets ought to be under the control of the people who own them, not the giant corporations that sell them.
Kudos to Vahe G for once again reminding us why entrusting our user data to Google is a bad idea:
Facebook would probably just consider this a feature, but the rest of us will definitely consider this a big security hole. The creator of http://guntada.blogspot.com (don’t visit that site just yet) emailed us this morning to explain.
If you’re already logged in to any Google account (Gmail, etc.), and visit that site, he’s harvested your Google email. And proves it by emailing you immediately.
What Vahe did is use Google’s Blogger to create a blog (on BlogSpot) and then take advantage of a security vulnerability to harvest the email address of anyone signed in with a Google account. The harvesting was taking place just by visiting the blog in question. As proof, Vahe was sending messages to the harvested addresses urging the individuals who own those addresses to share a goo.gl shortlink pointing to the blog with friends.
After TechCrunch reported the exploit, Google took down the blog, and Vahe sent an email to TechCrunch’s founder, Mike Arrington, explaining the vulnerability:
Hi Mr. Arrington,
I see you have already shared the news. It’s good that google got it down, I really don’t want people to know about how that was done (if Google contacts I will definitely tell them – they just don’t answer my emails). Problem relies solely on Google.
Problem is I asked a lot of people, and most of them don’t really understand and care about this kind of things and big companies act like they all really protect our privacy and such, but they see that people don’t care and don’t do anything really.
Vahe G. (Armenian 21yrs guy whom Google doesn’t wanted to even talk to)
That’s one incredibly smart guy.
We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account. We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to firstname.lastname@example.org.
It’s telling that the issue only got addressed after it made it onto one of the most widely-read technology blogs in the world. By not catching these things earlier, Google is exposing its users to external harm. All the more reason not to have a Google account and not do business with Google at all.