Google Fixing Its Android Authentication Token Flaw To Plug User Login Credentials Leak

A recently discovered security flaw that could allow access to Android’s Google account authentication tokens by a third party will be fixed for all users soon.

The flaw was originally discovered by German researchers, with the fear that the way Android sends authentication tokens in the clear could result in third parties being granted access to Google accounts.

Google did actually fix the flaw in its latest version of Android – Gingerbread 2.3.4. The problem for Google and its users though is the way Android is updated by carriers. With carriers and manufacturers both having their fingers in the OS – be it additional features or a skin – the vast majority of Android handsets aren’t going to see the update for months.

In order to fix the flaw quicker, Google is now rolling out a server-side fix which will plug the hole for all devices connecting to Google’s servers. The search giant plans to have the fix in place for Android devices worldwide ready within a week.

The negative here though is while the fix applies to Calendar and Contacts, Google’s techies are still working on the issue with Picasa.

Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.

Google recently shared that the company is currently looking into the issue of software version fragmentation with the help of its carrier partners with a view to reducing the time it takes for updates to be rolled out to as many handsets as possible.

You can follow us on Twitter or join our Facebook fanpage to keep yourself updated on all the latest from Microsoft, Google and Apple.