The horrible Android ClientLogin vulnerability

Discussion in 'Travel Technology' started by viguera, May 19, 2011.  |  Print Topic

  1. viguera
    Original Member

    viguera Gold Member

    Likes Received:
    Status Points:
    In case you haven't been paying attention, a tremendously large Android security vulnerability was discovered recently. Anybody that uses and/or saves public WiFi networks should probably pay attention to this... :)

    Minor geekery below... :)

    According to researchers at the University of Ulm, any Android device running anything lower than 2.3.3 (so basically 99.9% of all phones out there) are vulnerable to an attack thanks to a weak ClientLogin authentication protocol.

    Any time an Android user signs into a service (such as Twitter, Facebook, etc.), the authToken information is stored for 14 days. When the device sees an access point that was previously saved -- such as attwifi, starbucks, T-Mobile, etc) the phone will automatically try to reconnect and the apps will start syncing, sending out the authTokens. Problem is that there's no verification that this access point you're connecting to is actually legit.

    That wouldn't be such a big problem, if the apps didn't automatically send out the authToken. It's not only limited to Twitter or Facebook though, any app that sends the token over unencrypted http can be jacked -- including Google's own Contacts, Calendar and Picasa apps for Android phones.

    So a malicious user could set up their own honeypot access point -- at the airport let's say -- broadcasting a common name and capture information from devices that attempt to connect.

    The original discussion from uni-ulm:

    And an article on allthingsd where Google acknowledges the problem and confirms they're working on a fix that should be out soon...
    Freddie Listo likes this.
  2. MSPeconomist
    Original Member

    MSPeconomist Gold Member

    Likes Received:
    Status Points:
    TV is reporting that Google has announced a fix "to be rolled out in the next few days"!!!!!!
    bakedpatato likes this.
  3. bakedpatato
    Original Member

    bakedpatato Gold Member

    Likes Received:
    Status Points:
    What more worried me is that the token that ClientLogin gets is valid for 2 weeks :eek:
    TBH though, Wireshark is a hassle(some baddie has to look through mountains of text just so he could impersonate you on google services and probably not have access to your credit card so I doubt people will be in too much danger aside from script kiddies*) , and I guess as long as you're on an encrypted wifi network+using a https tunnel you should be ok....
    *ok perhaps some really stalker black hat would stalk a celebrity known to have an Android device and wait for them to connect to an unsecured wifi network....
    Side rant. Blame AT&T. Probably Verizon too. Perhaps Sprint. I doubt T-Mobile,but its possible(as T-Mobile's been good about updating their android devices). AT&T(and any other teleco) has the right to not let any Android updates onto their phones(indeed a certain Backflip is in this position) and cripple the Android OS in any way they want(sideloading anyone?to AT&Ts credit they've been enabling sideloading on their devices now) . Google can roll out the update right now and it would probably take weeks,if not months for it to reach all Android devices, if it does reach them at all because of the telecos "testing updates"/dragging their feet.*
    *not that a teleco with any sort of brain would refuse to allow an exploit patch on their phone
    Siderant 2: MS is doing it right with WP7,a teleco can skip one update, you have to allow the next one*. Not too keen on not updating the hardware baseline often but that's fine.
    *I think all exploit patches are required too.True, telecos can drag their feet with exploit patches, but at least you know they don't have the right to refuse that patch.
    Kaanapali and Freddie Listo like this.
  4. Tenmoc
    Original Member

    Tenmoc Gold Member

    Likes Received:
    Status Points:
    telco crap to the OS is my only problem with android.

    But according to we'll have our update within a couple days from google.
    Kaanapali likes this.

Share This Page