09
Feb
image
Last Updated: February 13th, 2012

Yesterday, a security firm called zvelo demonstrated a vulnerability within Google Wallet, cracking its PIN verification system using brute force, giving Wallet access to anyone who had the exploit. It was also revealed that the hack only worked on rooted devices, and Google swiftly reported that a fix for the bug was already being worked on.

Adding to Google Wallet's security worries, a new hack was posted online today, claiming to give access to Google Wallet (sans PIN) on non-rooted devices, requiring just a few steps to gain user information (and funds).

The Smartphone Champ reported on the newly-discovered flaw, explaining just how the exploit works:

The security flaw is painfully easy to do and requires no extra software nor does it require root.  All a person who wants to access your Google Wallet has to do is go into the application settings menu and clear the data for the Google Wallet app.  After doing that your Google Wallet app will be reset and will prompt for you to set a new pin the next time you open it.  The problem here is that since Google Wallet is tied to the device itself and not tied to your Google account, that once they set the new pin and log into the app, when they add the Google prepaid card it will add the card that is tied to that device.  In other words, they’d be able to add your card and have full access to your funds.

At the moment, all users of Google Wallet are technically at risk, though both exploits require any nefarious user to be holding your phone in order to gain access to information/funds. Google has yet to say anything about the new vulnerability or when it may be remedied, but we'll be here to cover any new developments as they emerge.

Via 9to5Google

Liam Spradlin
Liam loves Android, design, user experience, and travel. He doesn't love ill-proportioned letter forms, advertisements made entirely of stock photography, and writing biographical snippets.

  • Germian

    Ugh, really? Only deleting the data from the Wallet app? That's pathetic..

    • DCMAKER

      and thats why i never use suck things...case and point....thats not the right lingo is it?

  • http://profiles.google.com/ISantop Ian

    On the other hand, this would only give access to the Prepaid funds. Google's dream is for real cards to take it's place, and even if you have it there, I'd consider it unwise to keep more than $20-$30 there at a time.

    • GergS

      Yeah it is a sucky vulnerability, but I only have $10 on it...

      I was thinking it would expose my CC data!

      Still, the PIN should just be controlled in our google accounts, like everything else.

  • Paul

    Can't you just log into Google wallet and delete any real cards you have there? Access to an account w/ no information isn't going to get them far or am I missing something?

  • Telanis

    You said it requires root, but the quote says it doesn't. Might wanna fix that.

    • Telanis

      Nevermind, I think I misread. Why can't I delete my comments anymore? :(

  • Shane

    This is really no more of a security risk than what you have by carrying around a wallet with cash and credit cards in it.

    • DCMAKER

      Cash no...credit cards yes....See with credit cards your not liable for any charges if reported in 24 hours if i remember correctly...if your phone gets stolen your out of luck because you charged it and you lost those already purchased funds

  • matt

    I lose my wallet more than my phone so really could care less

  • Jaymoon

    Not that this is a new "hack" of any sort, at least because of the root-hack this will shine the light on Google to fix this flaw.

    I couldn't sell off my old Nexus S until I used up my prepaid balance, because there's no way to get it off the phone (except to spend it, or buy a new NFC phone).

  • Dan

    Wow, you mean if a dirtbag steals my wallet, they can spend the money that's in it? Holy crap, that's... that's... exactly the same as it's always been. Big freakin' deal.

  • blunden

    I didn't even think you could actually add money to that prepaid card but rather that it's only purpose was to give you that first $10 free as an incentive to try the service.

    The fact that it was tied to the device was no news to me at least. The reason they tied it to the device like that is probably because people could otherwise theoretically just create new google accounts any time they wanted to buy something for $10 or less. They could also use some service for money transfer to just transfer all that free money into a signle account.

Quantcast