Android one-click Google authentication method puts users, businesses at risk

A researcher has released a proof-of-concept Android app that can steal 'weblogin' authentication tokens

A feature that allows Android users to authenticate themselves on Google websites without having to enter their account password can be abused by rogue apps to give attackers access to Google accounts, a security researcher showed Saturday at the Defcon security conference in Las Vegas.

Security researcher Craig Young presents Google 'weblogin' risks at Defcon 21 security conference.
Security researcher Craig Young presents Google 'weblogin' risks at Defcon 21 security conference.

The feature is called "weblogin" and works by generating a unique token that can be used to directly authenticate users on Google websites using the accounts they have already configured on their devices.

Weblogin provides a better user experience but can potentially compromise the privacy and security of personal Google accounts, as well as Google Apps accounts used by businesses, Craig Young, a researcher at security firm Tripwire, said during his talk.

Young created a proof-of-concept rogue app that can steal weblogin tokens and send them back to an attacker who can then use them in a Web browser to impersonate a victim on Google Apps, Gmail, Drive, Calendar, Voice and other Google services.

The app was designed to masquerade as a stock viewing app for Google Finance and was published on Google Play, with a description that clearly indicated it was malicious and shouldn't be installed by users.

During installation, the app asks for permission to find accounts on a device, use the accounts on a device and access the network. When run, it then displays another prompt asking for permission to access a URL that starts with "weblogin" and includes

This secondary prompt is uninformative and most users are likely to accept the request, Young said.

If they do, a weblogin token is generated and the users are automatically signed in to the Google Finance website. However, at the same time, the token is siphoned off through an encrypted connection to a server controlled by the attacker.

The issue is that this weblogin token does not only work for Google Finance, but for all Google services, Young said.

For example, it can provide access to the victim's documents in Google Drive, emails in Gmail, calendar entries in Google Calendar, Google Web search history or potentially sensitive company data stored in Google Apps, the researcher said.

It can also be used to access a user's Google Play account and remotely install apps on his device or to access his accounts on third-party websites that support Google Federated Login.

If the user is an administrator for a company's Google Apps domain, the attack could compromise the company's entire Google Apps operation. The attacker would gain the ability to reset the passwords for other users on that Google Apps domain, create and modify privileges and roles, create and modify mailing lists, and even add new users with administrative privileges, the researcher said.

The issue was reported to Google in February and the company started blocking some of the things an attacker could do, Young said.

For example, an attacker authenticated via a weblogin token can no longer use the Google Takeout service to get a data dump for an entire Google Account and can no longer add new Google Apps users, although there is a workaround that still makes the latter action possible, Young said.

Young's app displays the weblogin permission prompt because it uses the standard Android API (application programming interface) to get the token. However, if the app used an exploit to get root privileges on the device, it would be able to grab the token without requiring user confirmation, he said.

The app stayed in Google Play for around a month until someone probably reported it as malicious, and during this time there was no indication it had been scanned by Bouncer, a Google Play service that searches for malicious apps in the marketplace, the researcher said. If it was scanned, then it wasn't flagged as malicious, which raises questions about Bouncer's effectiveness, he said.

After it was reported as malicious, the app was removed from Google Play, and Android's local app verification feature now blocks it as spyware when trying to install it.

Google did not respond to a request for comment sent Thursday.

Most Android antivirus products from well known vendors didn't detect the app as malware either, but one privacy advisor application did list the rogue app as having account access, Young said.

"Today's presentation showed that with enough ingenuity and effort you can easily bypass apparently well protected systems," said Alexandru Catalin Cosoi, the chief security strategist at antivirus vendor Bitdefender, who attended Young's talk.

The only way to prevent these things from happening is to raise the cost of attacks, so that by the time one lock is bypassed, there is a new lock in place that needs to be breached, Cosoi said. Vulnerabilities can be found on a regular basis, so continuous research definitely helps in improving systems like Google Bouncer, making attacks more costly for hackers to pull off, he said.

Businesses shouldn't allow their IT administrators to use Google accounts on their Android devices that are also Google Apps domain administrators, Young said.

Users should be wary of apps that request access to accounts added on the device and should answer "no" to permission prompts containing the words "weblogin" or "ID," he said.

Google should create an option to allow Google Apps domain owners to block Google Apps access via weblogin and should make the weblogin prompts more informative so that users understand what they do, the researcher said.

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetyTripwiremobilespywareExploits / vulnerabilitiesdata protectionprivacybitdefendermobile applicationsAndroid OSGooglesecuritymobile securityAccess control and authentication

More about GoogleTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts