Google Wallets app flaw could lead to compromise
Google has temporarily disabled the creation of prepaid payment cards while it investigates two security flaws made public last week that allow access to users' Google Wallet accounts on Android phones.
"We took this step as a precaution until we issue a permanent fix soon," Osama Bedier, Google Wallet and Payments vice president, wrote on the Google Commerce blog on Saturday.
The vulnerability goes after a basic design of the application. If an Android phone on which a Google Wallet account is lost or stolen, the account could be compromised simply by deleting the saved data, including the owner's PIN number, from the phone's settings, and relaunching the Wallet application. Google Wallet then will go through its setup options again, allowing the crook to create a new PIN number to access the funds associated with that Android device.
“Just like with any other credit card, you can get support when you need it,” Bedier wrote in his post. “We provide toll-free assistance in case you lose your phone or someone manages to make an unauthorized transaction.”
Because the Google Wallet account is linked to the device and not a Google account, the thief need not know the owner's login information. Resetting the password would allow them to log into Google Wallet and create a new, prepaid card using funds stored in the account on that phone.
Joshua Rubin, a senior engineer with zvelo, a Greenwood Village, Colo.-based provider of website categorization technologies, claims to have discovered the second flaw when looking through the metadata table in the database used by the application. Rubin, in a blog post, demonstrated how a “Wallet cracker” app can quickly identify the PIN on the device.
However, a Google spokesman said that the approach Rubin used is unlikely to work for the vast majority of Android phones. Rubin required root access in order to run the cracker application, the spokesman told SCMagazine.com on Monday. Since he was working on his own phone, he could have accessed the root without damaging the data. If, however, he tried to gain root access on someone else's phone without having the right code to do so, the attempt would have deleted all data on the phone automatically before he got access to the PIN. Officially, the spokesman said, Google does not support Wallet on a rooted device.
Google hopes to have a fix for the initial problem related to non-rooted devices later this week. The fix for the rooted devices might take longer, the Google spokesman said.