According to security firm Tripwire’s researcher Craig Young, Android’s one-click Google authentication method referred to as “weblogin”, that allows users to authenticate themselves on Google websites without having to enter their account password, can potentially compromise the privacy and security of personal Google accounts, as well as Google Apps accounts used by businesses (via PCWorld).
The security expert demonstrated the risk at the Defcon Security Conference in Las Vegas last week, by using a proof-of-concept rogue app that can steal weblogin tokens and send them back to an attacker who can then use them in a browser to impersonate a victim on Google Apps, Gmail, Drive, Calendar, Voice and other Google services.
“During installation, the app asks for permission to find accounts on a device, use the accounts on a device and access the network. When run, it then displays another prompt asking for permission to access a URL that starts with “weblogin” and includes finance.google.com.
This secondary prompt is uninformative and most users are likely to accept the request, Young said.
If they do, a weblogin token is generated and the users are automatically signed in to the Google Finance website. However, at the same time, the token is siphoned off through an encrypted connection to a server controlled by the attacker.”
Young added that this weblogin token does not only work for Google Finance, but for all Google services. It can provide access to the victim’s documents in Google Drive, emails in Gmail, calendar entries in Google Calendar, Google Web search history or potentially sensitive company data stored in Google Apps.
“It can also be used to access a user’s Google Play account and remotely install apps on his device or to access his accounts on third-party websites that support Google Federated Login.
If the user is an administrator for a company’s Google Apps domain, the attack could compromise the company’s entire Google Apps operation. The attacker would gain the ability to reset the passwords for other users on that Google Apps domain, create and modify privileges and roles, create and modify mailing lists, and even add new users with administrative privileges, the researcher said.”
The developer noted that his app stayed in Google Play for around a month until someone reported it as malicious, after which it was removed from Google Play and Android’s local app verification feature now blocks it as spyware when trying to install it.