Google Closing authToken Security Hole with Server Side Fix
While Google early rolled out a client-side fix for Android 2.3.4 and higher, that left 99 percent of Android users still vulnerable. Considering how hard it is to get a new version of Android out to devices, Google is fixing the flaw on the server side.
“Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.”The server-side fix means the concerns we raised about fragmentation and how Google would manage to fix the issue aren't a real concern. It's interesting, however, that Google did not address this until it was publicized. After all, they obviously knew about it since they fixed it in Honeycomb and Gingerbread.
However, the fix only addresses the ClientLogin issues with Calendar and Contacts, while the problem with Picasa remains. Google still has no fix for it, though it confirms it is working on the problem.