Android’s latest security snafu: One-click authentication lets hackers steal passwords

BGR.com
Android One-Click Authentication Security Hole

Android One-Click Authentication Security Hole

Hackers have been uncovering a lot of Android security holes lately, including one vulnerability that lets hackers turn legitimate Android apps into malware and another that has given the FBI the ability to remotely flip on Android phones’ microphones to record conversations. Now IDG News, via PCWorld, reports that a security researcher at the Defcon security conference in Las Vegas this weekend showed off a new Android exploit that uses Google’s one-click authentication feature to steal users’ passwords.

[More from BGR: Apple’s once-dominant tablet market share has collapsed]

As IDG News writes, Tripwire researcher Craig Young has created “a proof-of-concept rogue app that can steal weblogin tokens and send them back to an attacker who can then use them in a Web browser to impersonate a victim on Google Apps, Gmail, Drive, Calendar, Voice and other Google services.” The app is able to do this by getting Android users to give it permission “to access a URL that starts with ‘weblogin’ and includes finance.google.com,” which then gives it access to the tokens it needs to log into all of the users’ Google accounts. From there, hackers can access Android users’ email, their Google Drive documents, their search history and much, much more.

[More from BGR: Why Obama stopped the ITC from banning Apple’s iPhone 4 and iPad 2]

Google did not respond to IDG’s request for a comment.


This article was originally published on BGR.com

View Comments (3)