Researchers from Germany’s University of Ulm have identified processes which could potentially allow attackers to hijack tokens used to access calendars, contacts and a number of other services available within Google’s Android operating system, affecting as many as 99% of mobile phones running the software.
Access to these services revolves around a weakness in how Google’s ClientLogin authentication protocol is implemented, sending authentication tokens in cleartext once a user enters a valid username and password to access a particular service. The implementation, which is unpatched in Android versions 2.3.3 and lower, allows unfettered access for up to 14 days to that same service, potentially providing attackers with a route into a persons account.
The team, comprising of Bastian Könings, Jens Nickels, and Florian Schaub, explains what could be accessed as a result:
For instance, the adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user. This means that the adversary can view, modify or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user.
The attack utilises a similar process to that of the Firesheep desktop plugin, which allows attackers to steal session cookies (Sidejacking), which helped users of the application to steal login credentials used to authenticate sessions on popular social networking websites like Facebook and Twitter.
For attackers to be able to gain access to Google services, the user would first need to authenticate their device on an unencrypted wireless network, something that is generally frowned upon for these very reasons. For this reason alone, the vulnerability will never be exploited to the maximum capacity.
The good news is that Google are already aware of the vulnerability and have moved to patch the bug in its latest Android 2.3.4 firmware update, although some of its services, including Picasa, are still transmitting sensitive data via unencrypted channels, according to the researchers. Google has confirmed the claim and said that it is working on a fix.
To reduce the impact of the vulnerability, developers that use ClientLogin are encouraged to immediately switch to https connections to secure data and begin utilising OAuth for authentication, which would mitigate the authToken capture issue immediately.
Android handset owners should upgrade to Android 2.3.4 as soon as it is possible to do so, although this is normally an operator issue and customers are asked to wait. However, the researchers can also switch off automatic synchronisation in the settings menu when connecting with open WiFi networks, reducing the chances of an attacker capturing credentials.