Android ClientLogin Security Flaw Puts 99% Of Users At Risk, Say Researchers

A huge percentage of Android users may be vulnerable to password theft because of a security flaw affecting several commonly used apps, according to researchers at the University of Ulm in Germany.

Using several different Android devices, researchers ran apps over unsecured WiFi connections and claimed they were able to intercept authentication information (account names and passwords) belonging to user accounts used on the handsets.

The susceptible apps all use Google's ClientLogin authentication protocol to pass data between a user's account and the Google servers. Google Calendar, Google Contacts, Google Gallery apps and more are apparently vulnerable to this exploit.

"This means that the adversary can view, modify or delete any contacts, calendar events, or private pictures," the research report reads. "This is not limited to items currently being synced but affects all items of that user."

The Register reports that separate research has found that Facebook and Twitter apps may also put the user at risk.

All personal data associated with the user's account could be susceptible to theft once the user's authentication data is tapped.
The report goes on to warn,

The implications of this vulnerability reach from disclosure to loss of personal information for the Calendar data. For Contact information, private information of others is also affected, potentially including phone numbers, home addresses, and email addresses. Beyond the mere stealing of such information, an adversary could perform subtle changes without the user noticing. For example, an adversary could change the stored email address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business.

The exploit is present in Android versions 2.3.3 and earlier, which means that it could affect as many as 99.7% of users. The researchers advise users to upgrade to Android 2.3.4, if possible.