An exposure in the way Google handles authentication is an illustration of the unintended consequences of trading security for a little bit of convenience.

Craig Young, a researcher from security company Tripwire, demonstrated at Def Con over the weekend how an Android single sign-on token known as WebLogin can expose data stored in almost any Google service, regardless of platform. The tokens are meant as a convenience for users, allowing them to forego having to enter their password every time they access a Google service.

Young, however, designed an Android application that he uploaded to Google Play demonstrating how WebLogin tokens could be sent to a remote server for use by an attacker to access the Google Apps domain control panel. The tokens are sent through to the attacker without being detected and can be used to bypass password prompts, even when password re-verification is required. If the victim is a Google Apps admin with access to company data, all of that sensitive information would be in jeopardy as well. Young created a short video demonstrating the problem.

“Google Apps is particularly affected; if I get a token from an admin, I get the same permissions they have on a Google Apps domain,” Young said. “If I get a token from a regular user, I can get access to their docs, Gmail account or anything else they’ve configured.”

This isn’t limited to Android, Young said; Chrome for Windows and Mac OSX users are impacted, as likely are iPhone users on Chrome.

Young had been working with Google for months, and the company believed it had fixed the issue by April via a number of Chrome and Android updates. But Young informed Google prior to his Def Con presentation that he still could grab WebLogin tokens to access accounts.

“The design choices they made in implementing their authentication system make it so you gain access to an entire account,” Young said.

Young’s application was called Stock Viewer and posed as an app for Google Finance where users could monitor stocks in their portfolio. The app was priced at $150 so as to discourage anyone from downloading it and the description urges users not to install it ever. The application was available for a month on Google Play, meaning it passed through the initial Google Bouncer check and was likely reported as malicious leading to its takedown from the market.

“I can only speculate, but based on the server logs, there was no indication Bouncer executed the malicious parts of the application. If they’re doing behavioral analysis, they’re not doing it in an environment connected to a Google account,” Young said, adding that previous research on uploading apps to Google Play demonstrated Bouncer’s effectiveness as catching apps trying to steal data directly. “It’s quite possible Bouncer is not implemented on the AccountManager API.”

An attacker can also obtain the tokens via a root exploit, physical access to a logged-in device or browser, or in the case of law enforcement, via a forensics tool. Once an attacker has access to an account, they could do anything from disabling two-factor authentication (only with an admin token since Google update), adding super-users to a Google Apps domain, modifying privileges or roles, and even revealing temporary passwords. On personal accounts, Gmail, Drive, Calendar, photos and other data would be exposed, as was all data via Google Takeout before a Google update the Wednesday before Def Con. Young’s app was particularly crafty in that upon installation it asked for permission to find and use accounts on the device and have full network access. At runtime, it gave permission for the app to access the Google account.

“The real risk is taking an app that’s already out there with a legitimate use for real credentials. If someone were to take one of these apps and add in some of the code from the proof of concept I release on Google Play or one of the Chinese marketplaces that aren’t regulated, they could attract a lot of people with a promise of, say, free phone calls,” Young said. “They are going to find some sensitive information worth something to somebody, or that would make people look bad.”

This article was updated at 4 p.m. ET to reflect clarifications throughout provided by Craig Young.

Categories: Web Security