The Google Admin application – which allows users to manage their Google for Work accounts from their Android devices – contains an unpatched vulnerability that can be exploited to read data from any file within the Google Admin sandbox.
The vulnerability – identified by security researchers with MWR Labs and deemed medium in severity – impacts Google Admin version 2014101605 and lower, Rob Miller, senior security researcher with MWR InfoSecurity, indicated in an advisory published on Thursday.
“The vulnerability discovered allows other applications on the same phone as a Google Admin app to read credentials from the Admin app, potentially letting [a] malicious app perform actions on the Gmail for work accounts using these credentials, without any interaction from the user,” Miller told SCMagazine.com in a Friday email correspondence.
Miller explained that a file containing a token plays into the threat.
“A key file in the Google Admin sandbox is a file holding a token that is used by the app to authenticate itself with the server,” he said. “A malicious app could exploit the vulnerability found to read this token and attempt to log in to the Google for Work server.”
Since Google has not issued a patch and exploitation of the bug requires a malicious app to be on to the mobile, Miller simply recommended that users do not download untrusted third-party applications on devices with Google Admin.
MWR Labs identified the vulnerability in March and disclosed it to the Google Security team, which quickly acknowledged the bug and indicated an update would be released, the advisory said. Months later that update never came, so researchers announced to Google their intent to publish the advisory.
Google did not respond to a SCMagazine.com email request for comment.
UPDATE: A Google spokesperson told SCMagazine.com on Friday, “We thank the researchers for flagging this to us. We have addressed the issue in the Google Admin app and the fix has been released. In order for this issue to occur, a malicious app would need to be installed on the device. As far as we know, no one has been affected.”