June 14, 2021

Researchers Spot Security Flaws in Google’s ClientLogin Protocol

Researchers from Ulm University have discovered potential security vulnerabilities in Google’s ClientLogin Protocol primarily on Android but which also exists for any apps and desktop applications that use Google’s ClientLogin protocol over HTTP rather than HTTPS.

Recent research has found that using Android on open WiFi networks is dangerous as some Android applications, including the Google Calendar app and Google contacts, transmit data in the clear, allowing an attacker to eavesdrop any transmitted information.

Researchers Bastian Könings, Jens Nickels, and Florian Schaub wanted to know if it is possible to launch an impersonation attack against Google services and so started their own analysis. According to their research it is possible and such attacks are not just limited to Google Calendar and Contacts, but are theoretically possible with all Google services using the ClientLogin authentication protocol.

Google’s ClientLogin protocol works by using an authentication token (authToken) which is requested by an application via HTTPS. If the supplied username and password are correct the token is sent to the application. The token is then used in all other requests to the Google services but not necessarily over HTTPS (making it easy to capture) and since the authToken is not bound to any session or specific device an attacker can use a captured authToken to access any personal data which is made available through the service API.

It is clear that Google are aware of this problem because as from Android 2.3.4 the Calendar and Contacts apps now transmit requests over HTTPS. However Android 2.1, 2.2.1 and 2.3.3 are all vulnerable. Interestingly the new Picasa Web Albums synchronization found in Android 2.3 uses HTTP, not HTTPS, and as such is vulnerable.