Android Exploit Allows Password Theft via One-Click Auth

At the DEF CON security conference in Las Vegas, a security researcher revealed that hackers can acquire passwords from Android devices by taking advantage of an exploit in the "weblogin" one-click service. This typically generates a unique token stored on a device that saves the user's login information, preventing them from having to enter the data each time they use an app or website.

Craig Young, a researcher at security firm Tripwire, provided a proof-of-concept during his presentation that used a rogue app to steal weblogin tokens. This app could send stolen tokens back to the "hacker" who in turn could use them in a browser to impersonate the victim, accessing their gmail, Google Drive, Google Voice and other Google services.

Young said this app was designed to masquerade as a stock viewing app for Google Finance and was actually published on Google Play. When downloaded, it would ask for permission to locate the accounts on the device, and use those accounts to access the network. Once launched, the app would prompt the user again for permission to access a URL beginning with "weblogin" and included He said most users likely accept a second request like this because it's "uninformative."

Once the user granted permission, the fake app would log into Google's financial site while also sending the token to the hacker via an encrypted connection. The problem, he said, is that the token doesn't merely work for Google Finance; it can be used across the entire Google portfolio of services. That includes accessing Google Play and remotely installing apps on the victim's devices, getting information from third-party websites via Google Federation Login, and Google Apps.

Young said that the app's listing on Google Play clearly stated that it was malicious and shouldn't be installed by users. However, it remained on Google Play for a good month, and was likely removed because someone reported it to Google. He said that there were no signs that it had been scanned by Bouncer, Google's built-in scanner that combs through Google Play for malicious apps. If it was scanned, then it wasn't tagged as malicious, he said.

Android's local app verification feature will now block Young's app as spyware. Meanwhile, Google was reportedly made aware of the exploit back in February. Since then has started blocking some of the things an attacker previously could perform such as using a token to access Google Takeout and download an entire dump of a Google Account.

"Today's presentation showed that with enough ingenuity and effort you can easily bypass apparently well protected systems," said Alexandru Catalin Cosoi, the chief security strategist at antivirus vendor Bitdefender.

He told The IDG News Service that users should be wary of apps that have permissions with the words "ID" and "weblogin" in them. IT administrators also serving as Google Apps admins shouldn't use Google accounts on their work-related Android devices.

  • Jeff Krogue
    You would have to be crazy to do anything secure on smartphones until they get more mature.
  • Grandmastersexsay
    11308048 said:
    You would have to be crazy to do anything secure on smartphones until they get more mature.

    You're safer doing something secure on a smartphone than on a Windows based computer.

    There just aren't enough hackers going after smart phones compared to those going after Windows based platforms. Not even close. Not yet at least.
  • pacomac
    The iOS fans are sniggering to themselves!
  • jerm1027
    What really bugs me about these articles is that they don't state which versions of Android are affected. Not very informative.
    I'm also noticing a common theme with these security vulnerabilities: lack of in-depth permission controls. It's either give the app all permissions it asks for, or don't install the app. I would like the ability to pick and choose which permissions to grant the app from which it asks for.
  • okibrian
    Well well well, what do we have here? And it was published on Google Play for a good month you say too. That's funny. I guess your shit does stink.
  • theclouds
    This is actually good news for Android because security vulnerability can be patched. No OS is impregnable, it really comes down to how less susceptible they are to exploits like this. Consider this relationship: The more popular an OS becomes the more enticing an OS is to security experts and black hats, but at the same time the OS gets more secure because these holes are patched with time. Arms race.