At the recently held Def Con 21 security conference in Las Vegas, security researcher Craig Young with Tripwire demonstrated a proof of concept for a vulnerability in the way Android handles one-click authentication for web sites and apps. The authentication method is called “weblogin” and works by generating a unique token that is used to directly authenticate users via their Google+ accounts. Young’s proof of concept demonstrated how a rogue app could steal the weblogin tokens and redirect them to an attacker. Once they have the tokens, attackers could then impersonate victims with a variety of Google services like Gmail, Google Apps, Drive, Calendar and Voice.
Besides the issue with a well-constructed app being able to siphon off the weblogin token, Young points out that at the core, a major part of the problem is that a single token is used for most, if not all, Google services a user may be accessing. Thus, by getting their hands on that single token, attackers have many doors open to them. Besides accessing documents, emails or calendar entries, an attacker could login to a user’s Google Play account and remotely install apps. In some instances, an attacker could even reset passwords, effectively locking someone out of their own account.
Young’s research was initially reported to Google back in February and the company has taken some steps to block some actions an attacker may try. For instance, the Google Takeout service will no longer provide a data dump for an entire Google Account and adding users to a Google Apps account requires the use of additional workarounds.
In another bit of disturbing news related to Young’s research is the ability of an explicitly malicious app to get into the Google Play store and hang around for a while. According to reports, Young created an app to test the vulnerability and uploaded it to the Google Play store where it was clearly marked as malicious and users were warned not to install it. During the month it was available, until a user reported it, Google’s Bouncer service did not flag it as malicious. It is not clear whether the app was ever scanned by Bouncer or whether it “passed” the scan, but neither option reflects well on Bouncer’s effectiveness. Young also reported that most antivirus products for Android devices failed to detect the app as being malware, though one unnamed privacy application flagged it as having account access.
Young and other researchers recommend IT administrators not use their Google Accounts on their Android devices if they are also Google Apps domain administrators. General users are cautioned to pay attention when apps request access to accounts on the device, especially any prompts for permission that include “weblogin” or “ID” in the description. Google should also move to give users more granular control over the use of the weblogin tokens and weblogin prompts should be more informative so users understand what they are agreeing to.
source: PCWorld
Come comment on this article: Security researcher highlights risks of Google’s weblogin for one-click authentication in Android
No comments:
Post a Comment