According a report by The Register, the vast majority phones running Google's Android OS are susceptible to attacks that allow people to steal personal information like usernames and passwords used to access Google services.
The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier, the researchers from Germany's University of Ulm said. After a user submits valid credentials for Google Calendar, Contacts and possibly other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.
Back in February, a Rice University professor uncovered security weaknesses that affected Twitter, Facebook, and Google calendar when a user was connected to a public wi-fi network.
Google has since patched that hole with the release of Android 2.3.4 and the new 3.0 Honeycomb. However, according to The Register, the new versions of Android "still cause devices synchronizing with Picasa web albums to transmit sensitive data through unencrypted channels."
Google has released a statement saying the company is aware of the deficiencies and is working on a fix.
[via The Register]