Google AuthToken Vulnerability

Remember Firesheep? The software plugin for Firefox that allowed users to take advantage of authentication tokens being transmitted in cleartext across a shared medium, like a wireless network?

Apparently Google doesn’t.

Researchers at ULM have discovered a remarkably similar flaw in the communication between Android smartphones and Google web services – if you’re updating your calendar or contacts from a public wifi hotspot, eavesdropping and impersonating attacks are trivial. (This includes the automatic synchronization that is on by default on most handsets) Apparently a patch is available; and if the history of Android is any indication, it might even be available to end users in a few months. Maybe.

Leave a Reply

Your email address will not be published. Required fields are marked *