Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/6/2013
06:33 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

One Hacked Android User Can Lead To An Enterprise Breach

Google Android's single sign-on feature 'weblogin' convenient but risky to an organization's Google Apps, DEF CON researcher shows

DEF CON 21 – Las Vegas – Weaknesses in a single sign-on feature for Google Android devices can lead an attacker to compromise an entire organization via its Google Apps domain, a security researcher revealed here over the weekend.

Craig Young, senior security researcher with Tripwire, discovered multiple attack vectors that would allow a bad guy to target just one Android device to gain a foothold into the victim's Google cloud applications. The weak link is the so-called "weblogin" token used by Android to allow users to sign on once for all Google services, and it can be cheated when the attacker grabs the weblogin token and gains control of the access domain control panel.

"I can fully compromise Google Apps. It only takes one token," Young told the DEF CON 21 audience.

Young, who previously demonstrated how Android could be used to bypass Google's two-step authentication, says he had been curious about the risks of using Android in conjunction with Google Apps.

Android's weblogin feature basically uses cookies rather than passwords for accessing Google services. But the feature's convenience comes with tradeoffs: if an attacker uses it to access the domain control panel, he then can reset passwords, perform "data dumps," and download drive documents, Young said.

"The reason I [went] with this token research is I bought an Android tablet about a year ago and realized Chrome auto-signed me into Google's websites, which made me very unhappy. At that time, I hadn't realized Google Apps control panel was exposed this way, too: it was a real revelation," Young said in an interview with Dark Reading. "I had used Google Apps domain for a while now, and had always logged in using that admin account."

But after realizing the potential dangers, Young stopped that practice and launched his latest research.

[Ten Russia-based crime gangs are behind the majority of text-messaging toll fraud campaigns that can net affiliate marketers of the scams up to $12,000 a month. See Anatomy Of A Russian Cybercrime Ecosystem Targeting Android .]

Young says the best way to prevent such attacks is to avoid using an admin account on Android and to be suspicious of token requests. And the usual due diligence: shop only at trusted app stores and from trusted vendors, and run antivirus to look for root exploits.

"Companies using Google for the cloud need to make sure that their IT admins who need to have admin access to the Google Apps control panel do so but not necessarily from their [Android] phones. If they do, then they need to enter a password," he says.

Google was notified of Young's findings earlier this year. Google as of this posting had not responded to a request for comment on Young's research.

"Google has addressed some things," Young says. "They told me everything would and should be fixed, but it's not ... They need to block off access to the Google Apps control panel."

Young says a bad guy can access an Android user's weblogin or token, using a root exploit or rigged app. "Then they can access your Gmail and read all [of your mail] and contacts and start resetting your passwords for sites that you use for that account. That's a scary thing," he told the DEF CON audience. "You might not recognize that someone else is using your account," either.

Even if an attacker doesn't grab the admin phone token, he can still grab the weblogin token and access all of the documents the Android user has accessed, he said.

Young tested just how easy it would be for an attacker to plant a malicious app in the Google Play store. He created a phony app selling for $150 called "Stock Viewer" that sat undetected for about a month, even with the description: "This application provides quick access to your Google Stock Portfolio while completely compromising your privacy. If you prefer convenience over security then this app is for you! This application is currently under testing and should not be installed by anyone EVER."

The app didn't contain a root exploit, but Young says if it had, he's confident that Google would have caught the malicious code. Even so, Play and even Apple's store aren't foolproof. "They're not doing source-code review—they just look at the stuff in binary format. So you can't assign trust to Google or Apple for their stores" in actuality, Young contends.

Additional technical details of Young's research is available in his DEF CON presentation slides (PDF).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
8/12/2013 | 7:14:26 AM
re: One Hacked Android User Can Lead To An Enterprise Breach
Indeed, the Android market is far less regulated then others, but Google will react and pull apps if there are complaints or known to have vulnerabilities which might impact users. Android phones also make it easy to install non-market apps (simple setting in the OS), which requires a jailbreak in an apple device. I recommend reading further on this topic in the following article:

http://blog.securityinnovation...
BusDriver
50%
50%
BusDriver,
User Rank: Apprentice
8/7/2013 | 2:38:57 PM
re: One Hacked Android User Can Lead To An Enterprise Breach
I found this article's title to be disingenuous and unethically sensationalist, since it slyly implies that any hacked Android user is a risk to the Enterprise, and that's just not the case since that user has to be an Admin with Apps control panel rights.
Poor form Miss Higgins, you just lost my trust and respect.
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
CVE-2020-8569
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
CVE-2020-8570
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
CVE-2020-8554
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...