Android One-Click Authentication Security Hole Lets Hackers Steal Passwords

Despite having improved dramatically in terms of overall usability during the course of the last year thanks to that Project Butter update with Jelly Bean 4.1, Android’s malware situation remains very much its achilles heel. It seems that scarcely a week goes by without some kind of outbreak or discovery by a security firm, and today, a worrying security hole has been discovered.

With the Black Hat Security Conference having been held last week, it’s been a particularly busy time for discovering exploits in all manner of software, but while iOS’s closed-source nature makes it rather easy on Apple to run its famously tight ship, Android users are often susceptible to the various non-niceties spreading through cyberspace.


According to a report, a security researcher at the Def Con security conference in Las Vegas has showcased an Android security hole that uses the native one-click authentication feature in order to obtain a user’s password. Craig Young, of Tripwire, has demonstrated how the technique could work by means of a rogue app, which would in turn phone home and allow the hacker to access many of your Google services.

Logins for anything from Gmail, Drive, Calendar to any other Google Apps could be snapped up by an opportunistic hacker, which the disguised app can facilitate with the green light to the permission for accessing a URL that starts with ‘weblogin.’

Once a hacker has his hands on your passwords and can begin sifting through your emails and whatnot, you could be in real trouble, and although Google has yet to pass comment on the discovery, it’s certainly a sobering reminder that even though security is always improving and being updated, we cannot and should not take anything for granted.


Hopefully, Google will step out with some reassuring words in the near future, preferably along the lines of, "we’ve fixed it!" In the meantime, as ever, stick to Google Play Store apps and even then, be vigilant of the permissions its asks of you, because if something unscrupulous does manage to find its way onto the Play Store, it will probably be asking for access to areas of your device it does not require.

(via Gizmodo)

You can follow us on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest from Microsoft, Google, Apple and the Web.