“The vast majority of devices running Google’s Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant’s servers, university researchers have warned,” Dan Goodin reports for The Register.
“The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier, the researchers from Germany’s University of Ulm said,” Goodin reports. “After a user submits valid credentials for Google Calendar, Twitter, Facebook, or several other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.”
Goodin reports, “Google patched the security hole earlier this month with the release of Android 2.3.4, although that version, and possibly Android 3, still cause devices synchronizing with Picasa web albums to transmit sensitive data through unencrypted channels, the researchers said. Based on Google’s own statistics, this means more than 99 percent of Android-based handsets are vulnerable to the attacks, which are similar in difficulty and effect to so-called sidejacking exploits that steal authentication cookies.”
Read more in the full article here.
MacDailyNews Take: Yup, if you don’t have an iPhone, well, you don’t have an iPhone (or data security).
[Thanks to MacDailyNews Readers “Fred Mertz,” “Dow C.” and “Sarah” for the heads up.]
