CATEGORIES
home News

Android authToken Bug Places 99% of Handsets at Risk

by Michael SantoWednesday, May 18, 2011, 11:03 AM EDT
The bad news: Google's Android platform has a vulnerability that could allow the credentials used to access Google Calendar, Contacts and possibly other accounts to be stolen. The good news: Google fixed this in Android 2.3.4. More bad news: Android 2.3.4 is only on 1 percent of Android handsets (it's that fragmentation thing).

The problem stems from an error in Google's implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and lower. Once a user submits valid credentials for Google Calendar, Contacts and possibly other accounts, an authentication token is delivered, but the problem is that the token is sent in cleartext. The authToken allows access to the logged-in service for up for 14 days, without requiring another login.

The researchers, from Germany's University of Ulm said that hackers could capture such authTokens en masse if they leveraged the fact that devices will attempt to reconnect to a previously known network (assuming that setting is enabled in the OS). The reconnection is based on the network's SSID. Thus:
“To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks. With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”
For the 99 percent of people who do not have a fix, the best way to avoid the issue is to avoid unsecured wi-fi networks. Google is aware that even with the fix in place, devices synchronizing with Picasa web albums transmit sensitive data through unencrypted channels; they are working on a fix. 
Tags:  Android, Google, security
TOP STORIES
Which New GPU Is For You?
More Results
KEEP INFORMED

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2025 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment