Android one-click Google authentication method puts users, businesses at risk - hardwickdonew2000

A feature that allows Humanoid users to authenticate themselves connected Google websites without having to introduce their account statement password can be abused by rogue apps to give attackers memory access to Google accounts, a security researcher showed Saturday at the Defcon security conference in Las Vegas.

The feature is titled "weblogin" and works by generating a unparalleled token that can be victimised to instantly authenticate users on Google websites using the accounts they have already configured along their devices.

Weblogin provides a better user experience but can possibly compromise the privacy and security of personalised Google accounts, likewise every bit Google Apps accounts used by businesses, Craig Young, a research worker at security firm Tripwire, aforementioned during his peach.

Young created a proof-of-conception rogue app that can steal away weblogin tokens and beam them back to an attacker who can and then habit them in a Web web browser to impersonate a dupe on Google Apps, Gmail, Drive, Calendar, Voice and opposite Google services.

The app was designed to masquerade as a line viewing app for Google Finance and was promulgated on Google Play, with a description that clearly indicated information technology was malicious and shouldn't be installed past users.

During installation, the app asks for permission to chance accounts on a device, use the accounts on a twist and access the network. When hightail it, IT so displays another prompt request for permit to access a URL that starts with "weblogin" and includes finance.google.com.

This thirdhand efficient is newsless and most users are likely to take over the request, Young said.

If they doh, a weblogin token is generated and the users are mechanically signed in to the Google Finance internet site. However, concurrently, the token is siphoned off through an encrypted connecter to a server harnessed away the attacker.

The issue is that this weblogin relic does not only work for Google Finance, but for complete Google services, Young said.

Lucian Constantin

Craig Young

For example, it can provide access to the victim's documents in Google Drive, emails in Gmail, calendar entries in Google Calendar, Google Web search history or possibly responsive fellowship information stored in Google Apps, the researcher said.

It can also be used to access a exploiter's Google Play news report and remotely install apps on his device or to access his accounts on ordinal-party websites that digest Google Federated Login.

If the user is an administrator for a company's Google Apps domain, the attack could compromise the companionship's entire Google Apps operation. The attacker would acquire the ability to readjust the passwords for other users thereon Google Apps realm, create and modify privileges and roles, create and modify mailing lists, and even add early users with administrative privileges, the researcher said.

The bring out was reported to Google in February and the company started blocking some of the things an attacker could behave, Tender said.

For example, an attacker authenticated via a weblogin token can no more longer use the Google Portable help to get a information floor for an entire Google Write u and can no thirster add newly Google Apps users, although there is a workaround that still makes the latter action possible, Young said.

Formative's app displays the weblogin permission inspire because information technology uses the standard Mechanical man API (application programming interface) to get the nominal. However, if the app used an exploit to get root privileges on the gimmick, information technology would glucinium able to grab the keepsake without requiring user confirmation, he same.

The app stayed in Google Play for around a month until someone in all likelihood reported it Eastern Samoa malicious, and during this fourth dimension in that location was no meter reading it had been scanned by Chucker-out, a Google Play service that searches for malicious apps in the market, the researcher said. If IT was scanned, so IT wasn't flagged as malevolent, which raises questions about Bouncer's effectiveness, he said.

After it was reported as malicious, the app was removed from Google Play, and Android's local app verification feature now blocks it as spyware when nerve-racking to install IT.

Google did non answer to a call for for comment sent Thursday.

Well-nig Humanoid antivirus products from well known vendors didn't detect the app as malware either, but one privacy consultant application program did list the rogue app Eastern Samoa having account access, Young aforesaid.

"Today's presentation showed that with adequate ingenuity and effort you privy easily bypass apparently well protected systems," said Alexandru Catalin Cosoi, the chief security strategist at antivirus vender Bitdefender, who accompanied Young's talk.

The exclusive mode to prevent these things from happening is to raise the cost of attacks, so that by the time matchless lock is bypassed, there is a new seal in place that needs to be breached, Cosoi said. Vulnerabilities can be found regularly, so continuous research definitely helps in improving systems the like Google Bouncer, making attacks more costly for hackers to tweak, he said.

Businesses shouldn't allow their Information technology administrators to use Google accounts on their Humanoid devices that are also Google Apps domain administrators, Young said.

Users should be leery of apps that request get at to accounts added on the device and should solvent "no" to permission prompts containing the words "weblogin" Oregon "ID," atomic number 2 said.

Google should create an option to allow Google Apps sphere owners to block Google Apps access via weblogin and should make the weblogin prompts more informative so that users understand what they do, the researcher said.

Source: https://www.pcworld.com/article/453200/android-oneclick-google-authentication-method-puts-users-businesses-at-risk.html

Posted by: hardwickdonew2000.blogspot.com

Share this post