Android's One-Click Google Auth Is a Buffet for Hackers

If you've got an Android device, you've probably used Google's handy one-click authentication shortcut, that handy little button that lets you sign into various Google service sites without having to enter your password. It's super convenient! For you and for hackers.

Craig Young, a researcher at security firm Tripwire, did some digging into how the system really works, and turned up some scary details in a presentation at Def Con last week. The underlying system—called "weblogin"— works by creating a special token that identifies you to various Google services. But it can be stolen easily, and when it is, it'll work for just about anything.

Young created a proof-of-concept app that pretended to be for viewing stocks, while in actuality it would steal a user's Google Finance login token and test it against other Google services like Google Apps, Gmail, Drive, Calendar, Voice. And when Young put the app on the Play Store—clearly labeled in the description as dangerous—it persisted for months, either unscanned (bad) or scanned and OKed (worse!) by Google's anti-malware system: Bouncer.

The vulnerability was reported to Google back in February, but since then only parts of the breach have been fixed, like full rips of account information via Google Takeout. Stolen tokens are still plenty useful for rifling through someone's Gmail though, or checking out the contents of their Drive.

Until there's some sort of fix, it's probably wise to avoid one-click auth, convenience be damned. That means saying "no" if you get any permission requests that mention weblogin. It's a bummer, but good security usually makes for some inconvenience, so be wary of the one-click option, now and in general. And never, ever forget that even Play Store apps might be trying to eat your lunch. [PC World]