If you ’ve receive an Android twist , you ’ve probably used Google ’s ready to hand one - dog authentication shortcut , that handy little push that permit you sign into various Google service sites without birth to enter your watchword . It ’s super convenient!For you and for hacker .
Craig Young , a researcher at security measure firm Tripwire , did some dig into how the system really works , and turned up some shivery details in a presentation at Def Con last week . The underlying system — call “ weblogin ” — works by creating a particular keepsake that identifies you to various Google services . But it can be steal easily , and when it is , it ’ll sour for just about anything .
Young created a proof - of - construct app that pretended to be for viewing stocks , while in actuality it would steal a user ’s Google Finance login token and screen it against other Google services like Google Apps , Gmail , Drive , Calendar , Voice . And when Young put the app on the Play Store — clearly pronounce in the description as life-threatening — it persisted for months , either unscanned ( bad ) or skim and OKed ( worse ! ) by Google ’s anti - malware system : Bouncer .
https://gizmodo.com/googles-finally-cracking-down-on-android-malware-5881778
The vulnerability was report to Google back in February , but since then only parts of the breach have been fixed , like full tear of news report entropy via Google Takeout . steal tokens are still enough utile for rifling through someone ’s Gmail though , or check out the contents of their Drive .
Until there ’s some sorting of muddle , it ’s probably wise to avoid one - click auth , convenience be damned . That means say “ no ” if you get any permission requests that mention weblogin . It ’s a bummer , but good security measure usually wee for some worriment , so be wary of the one - pawl option , now and in world-wide . And never , ever block that even Play Store apps might be trying to consume your lunch . [ PC World ]
AndroidGoogleSecurity
Daily Newsletter
Get the best tech , science , and culture news program in your inbox daily .
News from the future , deport to your nowadays .
You May Also Like
