One Hacked Android User Can Lead To An Enterprise Breach

Google Androids single sign-on feature weblogin convenient but risky to an organizations Google Apps, DEF CON researcher shows

DEF CON 21 – Las Vegas – Weaknesses in a single sign-on feature for Google Android devices can lead an attacker to compromise an entire organization via its Google Apps domain, a security researcher revealed here over the weekend.
Craig Young, senior security researcher with Tripwire, discovered multiple attack vectors that would allow a bad guy to target just one Android device to gain a foothold into the victims Google cloud applications. The weak link is the so-called weblogin token used by Android to allow users to sign on once for all Google services, and it can be cheated when the attacker grabs the weblogin token and gains control of the access domain control panel.
I can fully compromise Google Apps. It only takes one token, Young told the DEF CON 21 audience.
Young, who previously demonstrated how Android could be used to bypass Googles two-step authentication, says he had been curious about the risks of using Android in conjunction with Google Apps.
Androids weblogin feature basically uses cookies rather than passwords for accessing Google services. But the features convenience comes with tradeoffs: if an attacker uses it to access the domain control panel, he then can reset passwords, perform data dumps, and download drive documents, Young said.
The reason I [went] with this token research is I bought an Android tablet about a year ago and realized Chrome auto-signed me into Googles websites, which made me very unhappy. At that time, I hadnt realized Google Apps control panel was exposed this way, too: it was a real revelation, Young said in an interview with
Dark Reading
. I had used Google Apps domain for a while now, and had always logged in using that admin account.
But after realizing the potential dangers, Young stopped that practice and launched his latest research.
[Ten Russia-based crime gangs are behind the majority of text-messaging toll fraud campaigns that can net affiliate marketers of the scams up to $12,000 a month. See
Anatomy Of A Russian Cybercrime Ecosystem Targeting Android
.]
Young says the best way to prevent such attacks is to avoid using an admin account on Android and to be suspicious of token requests. And the usual due diligence: shop only at trusted app stores and from trusted vendors, and run antivirus to look for root exploits.
Companies using Google for the cloud need to make sure that their IT admins who need to have admin access to the Google Apps control panel do so but not necessarily from their [Android] phones. If they do, then they need to enter a password, he says.
Google was notified of Youngs findings earlier this year. Google as of this posting had not responded to a request for comment on Youngs research.
Google has addressed some things, Young says. They told me everything would and should be fixed, but its not ... They need to block off access to the Google Apps control panel.
Young says a bad guy can access an Android users weblogin or token, using a root exploit or rigged app. Then they can access your Gmail and read all [of your mail] and contacts and start resetting your passwords for sites that you use for that account. Thats a scary thing, he told the DEF CON audience. You might not recognize that someone else is using your account, either.
Even if an attacker doesnt grab the admin phone token, he can still grab the weblogin token and access all of the documents the Android user has accessed, he said.
Young tested just how easy it would be for an attacker to plant a malicious app in the Google Play store. He created a phony app selling for $150 called Stock Viewer that sat undetected for about a month, even with the description: This application provides quick access to your Google Stock Portfolio while completely compromising your privacy. If you prefer convenience over security then this app is for you! This application is currently under testing and should not be installed by anyone EVER.
The app didnt contain a root exploit, but Young says if it had, hes confident that Google would have caught the malicious code. Even so, Play and even Apples store arent foolproof. Theyre not doing source-code review—they just look at the stuff in binary format. So you cant assign trust to Google or Apple for their stores in actuality, Young contends.
Additional technical details of Youngs research is available
in his DEF CON presentation slides
(PDF).
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
One Hacked Android User Can Lead To An Enterprise Breach