Nearly all Android-based smartphones were susceptible to a security hack allowing third parties to access a user's private information, calendar and contacts, according to research.
Researchers at Germany's ULM University
have discovered that all Google services using the company's ClientLogin API could have, until recently, been accessed remotely by third-party hackers, through methods the researchers say affected 99.7 percent of Android devices and are "quite easy" to perform.
The method is described as being similar to cookie theft, or "sidejacking," the method used by the infamous Firesheep
plug-in for the Firefox web browser. It essentially captures unencrypted data that is "not bound to any session or specific device information," allowing third parties to bypass traditional login requirements and instantly access a user's information.
According to the report, the attack would give the hacker full access to view, modify and delete contacts, calendar events, and private pictures.
Google responded to the findings, telling Edge Online
that it was aware of the issue, and has "already fixed it for calendar and contacts in the latest versions of Android," and that it is still working on fixing Picasa, its photo storage and sharing service.
Google also refuted the 99.7 percent figure, saying the exploit could only be used in very specific circumstances that are not necessarily likely.