Your Web Identity May Be At Risk With Android’s One-Click Authentication
Another security flaw has been discovered that could endanger your privacy and your identity online if you’re a user of Google’s Android platform. According to researchers at the Defcon conference in Las Vegas, Nevada, what is dubbed as a feature for the Android OS that allows users to conveniently and quickly authenticate themselves without having to enter in their login credentials could be abused by malicious hackers and pose as a security risk.
The feature under scrutiny is known as weblogin. The Android OS with Google services generate a unique token for the device so that users can automatically be authenticated when using Google services if they have Google accounts configured on their devices.
According to PC World, security researcher Craig Young of Tripwire created a proof-of-concept malicious app that can steal weblogin tokens and impersonate the user, allowing the hacker to access Google Apps, Gmail, Google Voice, and other Google services.
During installation, the app asks for permission to find accounts on a device, use the accounts on a device and access the network. When run, it then displays another prompt asking for permission to access a URL that starts with “weblogin” and includes finance.google.com.
This secondary prompt is uninformative and most users are likely to accept the request, Young said.
When users accept the prompt and allows for the app permission to run, a token is generated and the user is taken to Google Finance website while at the same time the token is also sent via an encrypted server to the hacker’s server.
The danger here is that the token could also be used across Google’s services allowing the hacker access to private images stored on Google’s Picasa or Google+ service as well as documents on Google Drive. The hacker could also post updates on Google+ and impersonate the user.
The issue affects both private, individual users, as well as businesses who rely on Google services through Google Apps.
While this features affords convenience to the user allowing them to not have to constantly login every time, it does pose a dangerous security risk. Perhaps, this is why Apple may be exploring a fingerprint authentication hardware for its rumored iPhone 5S, a feature that could still grant users convenience while at the same time grant them added protection as well. Rather than having to type in a password every time, users just need to quickly swipe their finger across the sensor.