Home page logo
/

bugtraq logo Bugtraq mailing list archives

Attacking Google Accounts with 'weblogin:' Tokens
From: Craig Young <vuln-report () secur3 us>
Date: Tue, 6 Aug 2013 16:07:58 -0400

For those who missed it, I would like to spread awareness about how
conveniences built into the Google eco-system can allow an
application, a physical user, or a forensics expert to access almost
everything in your Google account.

[LINKS]
A nice summary from Lucian Constantine:
http://www.pcworld.com/article/2045903/android-oneclick-google-authentication-method-puts-users-businesses-at-risk.html

Intro Blog: 
http://www.tripwire.com/state-of-security/off-topic/defcon-sneak-peek-how-risky-is-google-apps-for-your-business/
DEF CON 21 slides are here: http://secur3.us/DC21Slides.pdf
Brief Demo Recording: http://secur3.us/DC21-ShortDemo.mp4
Android PoC here: http://secur3.us/DC21-PoC.apk
PoC Source here: http://secur3.us/DC21-PoC.java

Please note that the app will send your token to my server. I am not
doing anything with them but it will log your account names on my
server.  I would like to encourage all Android AV vendors to strive to
block not just this app but any app which is sending tokens off the
device.  I am also recommending that any Google Apps administrator
accounts should not be used with Android devices -- you wouldn't
browse web sites and run untrusted code as root, would you?  (i.e.
follow the principle of least permission)

My proof of concept used Android with AccountManager API calls but
this threat extends beyond Android and likely onto anything which will
run Chrome.  For example, iPhone/iPad support the same feature I am
abusing according to Google:
http://www.google.com/intl/en/chrome/browser/mobile/ios.html and
Mac/PC Chrome also definitely supports this as outlined by Duo
Security's recent blog post:
https://blog.duosecurity.com/2013/08/beyond-google-application-specific-password-exploiting-google-chromes-stored-oauth2-tokens/

Thanks,
Craig Young
Senior Security Researcher, Tripwire VERT
Follow: @CraigTweets


  By Date           By Thread  

Current thread:
  • Attacking Google Accounts with 'weblogin:' Tokens Craig Young (Aug 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault