Hackers have been uncovering a lot of Android security holes lately, including one vulnerability that lets hackers turn legitimate Android apps into malware and another that has given the FBI the ability to remotely flip on Android phones’ microphones to record conversations. Now IDG News, via PCWorld, reports that a security researcher at the Defcon security conference in Las Vegas this weekend showed off a new Android exploit that uses Google’s one-click authentication feature to steal users’ passwords.

As IDG News writes, Tripwire researcher Craig Young has created “a proof-of-concept rogue app that can steal weblogin tokens and send them back to an attacker who can then use them in a Web browser to impersonate a victim on Google Apps, Gmail, Drive, Calendar, Voice and other Google services.” The app is able to do this by getting Android users to give it permission “to access a URL that starts with ‘weblogin’ and includes finance.google.com,” which then gives it access to the tokens it needs to log into all of the users’ Google accounts. From there, hackers can access Android users’ email, their Google Drive documents, their search history and much, much more.

Google did not respond to IDG’s request for a comment.

Prior to joining BGR as News Editor, Brad Reed spent five years covering the wireless industry for Network World. His first smartphone was a BlackBerry but he has since become a loyal Android user.