Unshelved by Bill Barnes and Gene Ambaum
comic strip overdue media

Wednesday, May 18, 2011

Quick response there, Google

99% of Android phones leak secret account credentials
The vast majority of devices running Google's Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant's servers, university researchers have warned.

The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier, the researchers from Germany's University of Ulm said. After a user submits valid credentials for Google Calendar, Contacts and possibly other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.
Google rolls out fix for Android security threat
Google has plugged a security hole that exposed the vast majority of Android phone users' calendars and contacts when they accessed those services over unsecured networks.

"Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts," a company spokesman wrote in an email. "This fix requires no action from users and will roll out globally over the next few days."

My phone uses Android 2.2, so it was vulnerable. So far I haven't used it over wi-fi networks, so I should be okay, but in the interim I turned off wi-fi access to my phone.

2 comments:

Mage said...

Wow, why is everyone running around the circle of security threats? First my ps3 and then this, hackers give me a break. mobile companies give me security :-/ buyaionaccounts

Eilir said...

It's true that there shouldn't have been such a glaring flaw (and certainly it shouldn't have taken so long for someone to point it out) in the first place. There will, I'm afraid always be technological holes that others will use to no good. While information I put out on networks should be protected, I do not assume it is. I am glad that once Google was made aware of the flaw, they acted quickly. They need to, in fact, to keep users. But I think we are also responsible for what we put out there in the first place, and we need both sides to work in tandem to protect our privacy.