Google to patch Android credentials vulnerability

By on May 18, 2011 at 2:29 PM
Security May 18, 2011

Well that didn’t take long. Yesterday, we told you about an Android vulnerability found in ClientLogin that could have serious security ramifications. Using a dummy open access-point, a nefarious third party could passively — via Wi-Fi — collect authentication tokens to password protected services such as Facebook, Twitter, and Google Calendar stored on affected Android devices. Speaking with Mobilized’s Ina Fried, the Android-maker has stated that it is taking action, and fast. “Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts,” Google told the publication. “This fix requires no action from users and will roll out globally over the next few days.” The vulnerability will still be present in the company’s Picasa online photo offering, but Google stated that it is working to patch that service as well.

Read

Tags:
, , , , , , , , , , , , , , , , ,
25 Comments

Related Articles

  • Anonymous

    So where are all the people yesterday that were whining about how this adds to fragmentation? Sounds like not the case.

    * Enter people who can find something to complain about*

    • Noops

      Lol..what now iSheep?

      • Anonymous

        What now isheep? haha this is the least of android’s problems. Android the windows of the smartphone world. That is all.

      • Noops

        I guess you’re admitting that you’re an iSheep? If Jobs made a cake from his poop you would eat it with a smile on your face

      • Steve Hillshire

        They did this all wrong I admit.  First they should have denied it was a problem.  Then they should have said that it was there but nothing could access it.  Then (weeks later) they should have come out with a patch to ”fix” the non-existant problem.  Hell, it works for your daddy, why not Google? 

      • Bringit

        riiiight – this will be the end of Android fragmentation problems.  Not Noops – more like nopes. 

      • Noops

        I never said it will end fragmentation. U eat poop cakes too?

        I lol’d at nopes..

      • Bringit

        “what now” sounds like the problems are over, when clearly they are not.

        Glad you liked nopes Noops. 

    • Anonymous

      I’ll believe it when it rolls out for non nexus devices.

      • Anonymous

        What part of “server-side” patch was unclear?

    • Joel

      So your happy because google has decided to remotely apply a patch to your phone without your knowledge or acceptance of the update?

      • Anonymous

        Yes for the most part. I would rather they let me acknowledge it so I know I have it but after I click yes, I’m not going to remember.

      • Anonymous

        This is a  server side fix, not client side.  They’re not rolling anything out to your phone, it’s all on the back end.

      • Anonymous

        Oh wow. Then my comment below is null.

  • Anonymous

    Are you telling me that google has had the ability to upgrade our phones this quickly with new versions of android since the beginning?!

    Surely even NORM will rage about that!

    • http://twitter.com/brianMedeiros Brian M

      the fix is on Google’s server end, not on android devices. I wish fixes to android where this easy.

    • http://www.droiddoes.com/ Norm

      Part of the freedom and choice that comes with android is also allowing yourself to let go and let Google have some control as they really know what’s best for us.

      • http://twitter.com/brianMedeiros Brian M

        i give control to google, its letting my data carrier and hardware provider dictate my software that i don’t like

      • http://twitter.com/MrKow84 Kyle

        wait so having freedom is letting someone control you ? 

      • Steve Hillshire

        You poor guy.  Norm is actually in your Apple camp.  Even though he isn’t being very original anymore, some of his posts in the past have been quite funny.

      • ThatDUDEthere

        You’ve just been going around this site all day getting normed.
        Chill out idiot.

  • Anonymous

    No action from users? So, the phone will just update itself?

    • Droidman101

      SERVER-SIDE PATCH
      AKA, nothing will be put ON your phone

  • Anonymous

    The phrase of the day, boys and girls, is server side fix. I know that a lot of places haven’t made that clear but, as a server side fix, you don’t get to cheer/complain about things getting sent to Android phones without permission because nothing is getting sent to your phone. It’s on the backend, as it were.

  • http://twitter.com/BenComicGraphic Ben Carver

    Let’s walk through what the vulnerability truly is.

    Let’s say you’re at a Starbucks.  You check your calendar and a few tables away from you, a guy targeting you is sniffing your data packets to find out when you are going to the dentist next week.  Or the picture of the cute cat you want to upload.

    That’s. all. it. is.

    Nothing more.  Oh, and BTW, this is a flaw with most platforms using unsecured WiFi, not only Android.

    BTW… Macs get a massive trojan attack, AppleCare told not to help customers.  Let’s talk about RELEVANT news.

blog comments powered by Disqus