comscore 99% of Android handsets vulnerable to account credential theft
News

99% of Android handsets vulnerable to account credential theft

Also Read - WhatsApp working on new rich-preview feature to make link-sharing better on Status updates

A report filed by UK publication The Register details a scary weakness in most Android handsets currently being sold. The aforementioned vulnerability would allow attackers to collect and use digital tokens stored on a handset after a user authenticates to a password protected service. “The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier,” reads the report, quoting research from the University of Ulm. “After a user submits valid credentials for Google Calendar, Twitter, Facebook, or several other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.” Google has issued a patch for the ClientLogin protocol with Android 2.3.4 and Android 3.0, but, as The Register points out, only 1% of Android devices are currently running the updated code. Also Read - Android 12-based Realme UI 3.0 update new timeline revealed: Check if your device is on the list

What’s scary is how easy and effortless the exploit can be. “To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks,” reported researchers. “With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.” Also Read - New State Mobile gets massive update with new weapon, supercar, more: Check details

Google has yet to issue an official comment on the matter.

Read

For the latest tech news across the world, latest PC and Mobile games, tips & tricks, top-notch gadget reviews of most exciting releases follow BGR India’s Facebook, Twitter, subscribe our YouTube Channel. Also follow us on  Facebook Messenger for latest updates.
  • Published Date: May 17, 2011 6:21 PM IST
  • Updated Date: May 18, 2011 5:00 AM IST



new arrivals in india