Security researchers from Ulm University, have reported that Google’s ClientLogin protocol can be used for an impersonation attack on Google services.
The researchers explained in their report that ClientLogin is an authentication mechanism used by Android apps. The ClientLogin uses an authentication token (authToken) which is passed to Google services enabling access to user accounts. The researchers stated that if the authToken is sent unencrypted over the air, the user’s credentials can easily be stolen.
The underlying security issue is not a new idea or technique. Josh Daymont, principal at security firm Securisea noted that what the Ulm University researchers found is a case of insecurely transmitted authentication cookies.
“This is a very old and well understood problem,” Daymont told InternetNews.com. “The most interesting aspect of this finding is not the technical details of the weakness, but more so that it was around for so long without anyone noticing until now.”