A vulnerability in Google’s one-click authentication feature has been found; one that theoretically gives hackers the ability to steal users’ passwords.
The loophole was detailed by Tripwire researcher Craig Young at this year’s Defcon security conference in Las Vegas.
Young demonstrated a proof-of-concept rogue app that “can steal web-login tokens and send them back to an attacker who can then use them in a Web browser to impersonate a victim on Google Apps, Gmail, Drive, Calendar, Voice and other Google services,” reports IDG News, via PC World.
According to Young, the app imply needs to convince the owner of the Android device to give it permission “to access a URL that starts with ‘weblogin’ and includes finance.google.com”.
Once this has been achieved, it would give the hacker access to the tokens they need to log into all of the users’ Google accounts.
That includes the Android user’s email, their Google Drive documents, their search history and so on.
Google did not respond to requests for comment.
The news come just days after it was revealed that the FBI has the ability to hack into Android phones and remotely turn on their microphones.