A feature that allows Android users to authenticate themselves on Google websites without having to enter their account password can be abused by rogue apps to give attackers access to Google accounts, a security researcher showed Saturday at the Defcon security conference in Las Vegas.
The feature is called "weblogin" and works by generating a unique token that can be used to directly authenticate users on Google websites using the accounts they have already configured on their devices.
Weblogin provides a better user experience but can potentially compromise the privacy and security of personal Google accounts, as well as Google Apps accounts used by businesses, Craig Young, a researcher at security firm Tripwire, said during his talk.
Young created a proof-of-concept rogue app that can steal weblogin tokens and send them back to an attacker who can then use them in a Web browser to impersonate a victim on Google Apps, Gmail, Drive, Calendar, Voice and other Google services.
The app was designed to masquerade as a stock viewing app for Google Finance and was published on Google Play, with a description that clearly indicated it was malicious and shouldn't be installed by users.
During installation, the app asks for permission to find accounts on a device, use the accounts on a device and access the network. When run, it then displays another prompt asking for permission to access a URL that starts with "weblogin" and includes finance.google.com.
This secondary prompt is uninformative and most users are likely to accept the request, Young said.
If they do, a weblogin token is generated and the users are automatically signed in to the Google Finance website. However, at the same time, the token is siphoned off through an encrypted connection to a server controlled by the attacker.
The issue is that this weblogin token does not only work for Google Finance, but for all Google services, Young said.
For example, it can provide access to the victim's documents in Google Drive, emails in Gmail, calendar entries in Google Calendar, Google Web search history or potentially sensitive company data stored in Google Apps, the researcher said.
It can also be used to access a user's Google Play account and remotely install apps on his device or to access his accounts on third-party websites that support Google Federated Login.
If the user is an administrator for a company's Google Apps domain, the attack could compromise the company's entire Google Apps operation. The attacker would gain the ability to reset the passwords for other users on that Google Apps domain, create and modify privileges and roles, create and modify mailing lists, and even add new users with administrative privileges, the researcher said.
The issue was reported to Google in February and the company started blocking some of the things an attacker could do, Young said.
For example, an attacker authenticated via a weblogin token can no longer use the Google Takeout service to get a data dump for an entire Google Account and can no longer add new Google Apps users, although there is a workaround that still makes the latter action possible, Young said.
Young's app displays the weblogin permission prompt because it uses the standard Android API (application programming interface) to get the token. However, if the app used an exploit to get root privileges on the device, it would be able to grab the token without requiring user confirmation, he said.