ID: IRCNE2013081919
Date: 2013-08-13
According to "zdnet", a security researcher exploring the weak links in Google's Android ecosystem says that a single feature can be used to take down a plethora of business applications -- and ignore two-step verification entirely.
Speaking at the Def Con 21 hacking conference, senior security researcher at Tripwire, Craig Young said he is able to "fully compromise Google Apps" using only one feature. The weak link? The "weblogin" token that allows Android users to sign once for all Google-based services, as reported by Dark Reading.
Rather than using passwords, the feature basically uses cookies -- but if an attacker gains access to the domain control panel, then havoc can ensue. Once breached, a hacker could reset passwords, download files from Drive, disable two-step verification, modify user roles and create mailing lists -- potentially full of spam or malicious content.
Young says the best ways to protect yourself and your business against such threats is to remain vigilant when receiving token requests, run antivirus software to seek out root exploits, and only purchase or download applications from trusted sources.
- 2