For those who missed it, I would like to spread awareness about how conveniences built into the Google eco-system can allow an application, a physical user, or a forensics expert to access almost everything in your Google account. [LINKS] A nice summary from Lucian Constantine: http://www.pcworld.com/article/2045903/android-oneclick-google-authentication-method-puts-users-businesses-at-risk.html Intro Blog: http://www.tripwire.com/state-of-security/off-topic/defcon-sneak-peek-how-risky-is-google-apps-for-your-business/ DEF CON 21 slides are here: http://secur3.us/DC21Slides.pdf Brief Demo Recording: http://secur3.us/DC21-ShortDemo.mp4 Android PoC here: http://secur3.us/DC21-PoC.apk PoC Source here: http://secur3.us/DC21-PoC.java Please note that the app will send your token to my server. I am not doing anything with them but it will log your account names on my server. I would like to encourage all Android AV vendors to strive to block not just this app but any app which is sending tokens off the device. I am also recommending that any Google Apps administrator accounts should not be used with Android devices -- you wouldn't browse web sites and run untrusted code as root, would you? (i.e. follow the principle of least permission) My proof of concept used Android with AccountManager API calls but this threat extends beyond Android and likely onto anything which will run Chrome. For example, iPhone/iPad support the same feature I am abusing according to Google: http://www.google.com/intl/en/chrome/browser/mobile/ios.html and Mac/PC Chrome also definitely supports this as outlined by Duo Security's recent blog post: https://blog.duosecurity.com/2013/08/beyond-google-application-specific-password-exploiting-google-chromes-stored-oauth2-tokens/ Thanks, Craig Young Senior Security Researcher, Tripwire VERT Follow: @CraigTweets
