An exploit that could have allow an intruder to bypass Google's "two-step authentication protocol" and gain full control of a user’s account was left open for seven months before Google patched the problem last week.
"After you’ve linked your [Android] device to a Google account, the browser [on your phone] will let you use your device’s existing authorization to skip Google’s web-based sign-on prompts," Duo Security CEO Jon Oberheide explained in a blog post.
The exploit took advantage of Google's auto-login feature in Chrome OS for Android devices. The vulnerability persisted for seven months until Google's release of Chrome 25 for Android last week closed the security hole.
"Until late last week, this auto-login mechanism worked even for the most sensitive parts of Google’s account-settings portal. This included the 'Account recovery options' page, on which you can add or edit the email addresses and phone numbers to which Google might send password-reset messages," Oberheide said. "If you can access the 'Account recovery options' page for a Google account, then you can seize complete control of that account from its rightful owner."
Most daily users of Chrome for Android have had their browsers updated automatically, but those who haven't used Chrome since last Thursday's update may still be vulnerable to this type of attack.
In order to break into a user's Google account, intruders needed to have the Android phone in hand. Although this particular problem has been patched, Oberheide cautioned users to keep an eye on which capabilities are included in the mobile interfaces for your digital accounts by looking at the settings page for each app. [See also: Another Hack Allows Access to Locked iPhones ]
Although most data breaches and hacks occur from hackers in remote locations, it’s important not to overlook attacks that require physical access; make sure you protect yourself and your devices from such attacks.