According to researchers at Universität Ulm in Germany, a majority of devices that run on the Google Android operating system are vulnerable to attacks that allows people to steal digital credentials stored on calendars, contacts, etc.
The weakness of the phone is associated with an authentication protocol that is known as ClientLogin in Android versions 2.3.3 and earlier. Once a user submits valid credentials for Google Calendar, Contacts, and other services, the programming interface retrieves a token that is sent in cleartext. The authToken can be used for about 14 days in subsequent requests and attackers can exploit them to gain access to the accounts.
?We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,? stated the researchersat the university’s Institute of Media Informatics. ?The short answer is: Yes, it is possible, and it is quite easy to do so.?
Google had patched the issue in Android 2.3.4, but that version still causes synchronization issues with Picasa. Given that about 99% of people use Android 2.3.3 or earlier, that means that a large number of Android users are vulnerable to such an attack. Google is aware of the issue and is working on a fix.
[The Register UK]