Yesterday, Google confirmed that it had not yet completed shoring up a security flaw with Android that made it easy to access user names and passwords over non-encrypted Wi-Fi networks. Fortunately, the company has acted fast and has rolled out an update, server side that will apparently cover all Android users.
In a statement to Mobilized, Google states:
Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.
The issue, which has its roots with how the operating system sends out authentication tokens, was taken care of with the Android 2.3.4 update and Android 3.1 Honeycomb, however, most Android users don’t have either update.
Before today, it would have been much easier for hackers to steal user information from places like Google Calendar, Facebook, Twitter because the authentication tokens were sent in clear text. This allowed login information to be stored up for up to 14 days on Wi-Fi networks without a password.
And while Google is rolling out an update that fixes this for most places, Picassa is unfortunately still vulnerable as the company is still trying to figure out how to address the photo sharing service.
So, if you’re a heavy Picassa user, might be best to stay off of public Wi-Fi until Google gets around to plugging this vulnerability up.