In the second half of May, folks over at University of Ulm in Germany determined that all Android phones running any version below 2.3.4 Gingerbread are vulnerable to attacks over unencrypted Wi-Fi networks. That pretty much means that around 99.7 percent of Android users at risk.
The German researchers published their findings in a paper entitled 'Catching AuthTokens in the Wild: The Insecurity of Google's ClientLogin Protocol'. Vulnerability is specific to unencrypted Wi-Fi hot spots, where the team demonstrated an attack that gained access to such items as contacts, calander events and private pictures, including those currently being synced.
By stealing authToken, the hackers can theoretically access a variety of other Google services on the phone. The best solution is to upgrade to Android 2.3.4 but the upgrades are hard to come by.
Three or four days after the vulnerability was reported, Google began rolling out a fix, and users were not required to make any changes. It's quite apparent that the fix being rolled out is all back-end, with the way the network handles credentials, connecting to a more secure HTTPS server instead. However, the fix doesn't resolve all issues, and the third-party Gallery app will still leak data when communicating with Picasa.
Response was relatively quick, but the flaw shouldn't have existed in the first place. Connecting to open Wi-Fi networks with mobile device is not good anyway.
By stealing authToken, the hackers can theoretically access a variety of other Google services on the phone. The best solution is to upgrade to Android 2.3.4 but the upgrades are hard to come by.
Three or four days after the vulnerability was reported, Google began rolling out a fix, and users were not required to make any changes. It's quite apparent that the fix being rolled out is all back-end, with the way the network handles credentials, connecting to a more secure HTTPS server instead. However, the fix doesn't resolve all issues, and the third-party Gallery app will still leak data when communicating with Picasa.
Response was relatively quick, but the flaw shouldn't have existed in the first place. Connecting to open Wi-Fi networks with mobile device is not good anyway.
No comments:
Post a Comment
Leave your valuable feedback...