Most Androids are vulnerable to account theft

Status
Not open for further replies.

TehSkull

Living the life
Member
Joined
Nov 29, 2009
Messages
2,700
Trophies
0
Location
Louisiana
XP
659
Country
United States
Researchers at Germany’s University of Ulm have made some unsettling discoveries about the security of the Android platform. According to an article from The Register, the research group located a vulnerability that allows hackers to collect and use the digital tokens saved on a phone after a user inputs credentials for a password-protected service.

The problem seems to be linked to an authentication protocol called ClientLogin, which is present in version of Android 2.3.3 and earlier (aka most Android phones). After a user inputs credentials for services like Twitter, Facebook, or Google Calendar (to name a few), the programming interface retrieves an authentication token, which is sent in cleartext. “Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts,” claimed the article, quoting University of Ulm researchers.

Google has released a patch to solve the ClientLogin protocol problem, but the patch only works for Android 2.3.4 and Android 3.0, meaning that about 99 percent of Android phones don’t have access to the updated code. “We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,” the researchers in the university’s Institute of Media Informatics wrote. “The short answer is: Yes, it is possible, and it is quite easy to do so.” Google has yet to release an official statement on the situation.[/p]
icon11.gif
Source

This is a serious problem. Almost every Android phone out there is on 2.3.3 or lower, which means almost every Android is susceptible to account theft. I can confirm this is true, because my Facebook account was hacked not even a week after buying my first Android. Possibly a coincidence, but I doubt it.
 

L551

Well-Known Member
Member
Joined
Mar 21, 2010
Messages
118
Trophies
0
XP
182
Country
United States
Everything seems to have a vulnerability lately, doesn't it? o.O Well mainly sony, but still.

Hope they find a way to patch 2.3.3 and below for those users. (Most phones are still on 2.1/2.2) I don't want this to turn into a widespread thing... though I'm on 2.3.4.
 

TehSkull

Living the life
Member
Joined
Nov 29, 2009
Messages
2,700
Trophies
0
Location
Louisiana
XP
659
Country
United States
I guess I didn't look back enough pages. :/
What the? How the? I looked through 3 pages, and didn't see it. :|
 

RupeeClock

Colors 3D Snivy!
Member
Joined
May 15, 2008
Messages
6,453
Trophies
1
Age
31
Website
Visit site
XP
2,181
Country
I don't particularly see how this differs from vulnerabilities found in things like Windows OSs or Firefox, these sorts of problems are discovered all the time and promptly patched.

I suppose the difference is that the vulnerability exists in a device that is always communicating with other devices and connections, leaving it much more open than other things.
 

TehSkull

Living the life
Member
Joined
Nov 29, 2009
Messages
2,700
Trophies
0
Location
Louisiana
XP
659
Country
United States
That, and it's up to the OEM/Carrier, not Google, as to when patches get rolled out. People who run Cyanogenmod or the like are always on the latest version from Google, but those with stock ROMs have to wait on their carrier to okay the update.
 
Status
Not open for further replies.

Site & Scene News

General chit-chat
Help Users
    T @ tungns: cu