Researchers from ULM University have found a security flaw similar to sidejacking in Google’s Android operating system affecting some 99.7% of the platform’s users. The flaw is in the ClientLogin API, and according to the report, it could allow hackers to steal contact lists, calendar events, and other sensitive data.
Their research stemmed from a blog post on Freedom to Tinker from a few months ago, where Dan Wallace detailed an Android sniffing demonstration he did in an undergrad computer science class on an open network. He discovered that Google properly encrypts data traffic for Gmail and Google Voice, but that Google Calendar could be easily eavesdropped upon and even impersonated. Twitter, he said, does everything in the open, but uses 0Auth signatures, which makes it difficult for a third party to forge tweets. Likewise, Facebook is equally open. While Facebook offers full time encryption on the Web, this appears to not be supported by Android, leading Wallace to believe that an attacker could inject bogus posts onto Facebook.
The ULM researchers, Bastian Konings, Jens Nickels, and Florian Schaub go one step further, claiming that not only are the above attacks possible, but that in theory, any Google service using ClientLogin APIs, whether on an Android device or not, could be vulnerable. ClientLogin is used for authentication of installed applications. The problem, they say, is that these services are transmitting authorization requests in plain HTTP, and are therefore vulnerable to auth token attacks. The researchers claimed that their sniffed tokens were valid for several days, which could make it easy for hackers to setup a wifi access point with a common SSID on an unencrypted network and collect large amounts of auth tokens for use at a later time from a different location.
The dangers of this sort of vulnerability go beyond the potential loss of personal and sensitive information. An attacker can leverage this bug to launch more subtle social engineering attacks; their example is that “an adversary could change the stored email address of the victim’s boss or business partners hoping to receive sensitive or confidential material pertaining to their business.”
As of May 20, Google announced their intention to release a transparent fix that does not require an Android OS update. However, the researchers note that this fix will not prevent the reuse of already captured tokens. So they recommend that anyone who suspects a compromise may have taken place should change their Google password, which will render those auth tokens useless.
For more information on this issue and for recommendations on how developers, Android users, and Google can do to avoid these sorts of issues in the future, you can find the entire report here.