Google Patches Sidejacking Vulnerability - InformationWeek
IoT
IoT
Mobile
News
5/25/2011
11:20 AM
50%
50%

Google Patches Sidejacking Vulnerability

The server-side patch fixes an authentication bug that affects 99.7% of Android users and their access to Calendar and Contacts.

12 Essential Android Apps For SMBs
Slideshow: 12 Essential AndroidApps For SMBs
(click for larger image and for full slideshow)
Google has been rolling out a server-side patch for the ClientLogin authentication protocol vulnerability that affects 99.7% of Android smartphones.

"We recently started rolling out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days," said a Google spokesperson via email.

Google's fix comes in response to a warning, published earlier this month by researchers at the University of Ulm in Germany, that Android devices could be exploited in a sidejacking-like attack. Just as website session cookies can be stolen (sidejacked), allowing attackers to impersonate a user, attackers could sniff data being sent to and from Android smartphones that are connected to unsecured Wi-Fi networks--by using a tool such as Wireshark--and capture tokens for any Google service that uses the ClientLogin authentication protocol. Applications that use this protocol include Google Calendar, Contacts, and Picasa, as well as third-party applications for Facebook and Twitter.

Android smartphone users running the latest OS, 2.3.4, were already protected against the vulnerability. But 99.7% of Android users are still on older operating systems.

Accordingly, Google's solution has been a server-side fix that forces Android devices to use HTTPS--to keep data encrypted--when syncing with the Google Contacts or Calendar, so that authentication credentials can't be intercepted. "The great news is that it doesn't require a software update on the Android devices themselves--meaning the fix is automatic and worldwide. Effectively this is a silent fix," said Graham Cluley, senior technology consultant at Sophos, in a blog post.

No attacks have been seen that exploit the vulnerability, and a fix is still in the works for Picasa. For now, Picasa users can mitigate the vulnerability by avoiding unsecured Wi-Fi networks, which would prevent their authentication credentials from being stolen.

Security-wise, Google's server-side patch is a crucial move because most cell phone carriers rarely push patches or OS updates to their customers. Because of that, some industry watchers had worried that Google would have difficulty securing older devices. For now, it's dodged that bullet, but in the future, major flaws could still pose a problem. "Concerns still remain as to how easy it would be to fix a serious security vulnerability on the Android devices themselves, given that Google is so reliant on manufacturers and carriers to push out OS updates," said Cluley.

Innovative IT shops are turning the mobile device management challenge into a business opportunity--and showing that we can help people be more connected and collaborative, regardless of location. Read the new report from InformationWeek Analytics. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll