新华网8月6日电 据科技博客Gizmodo报道,如果你是安卓设备的用户,可能你已经用过谷歌一键认证的快捷键。只需轻点这个便捷的小按钮,无需输入密码,用户便可以登录到谷歌的各种服务网站。对用户来说,实在是方便极了!不过,对黑客也是一样。
Tripwire安全公司的研究员克雷格对这个系统的工作原理进行了细致的研究分析,在上周举行的DEF CON黑客大会上进行了一些骇人的细节展示。其基本系统称作“weblogin”,它通过创建一个特殊的令牌来识别使用谷歌服务的用户身份,但该记号很容易被盗,而一旦被盗,可用于一切服务。
克雷格创建了一款概念证明的应用程序,谎称是用于查看股票,但实际上,它可以盗取用户的谷歌财经(Google Finance)的登录令牌并在其他谷歌服务上测试,比如谷歌应用程序、Gmail邮箱、谷歌Drive、谷歌日历、谷歌语音等。而当克雷格要把这款应用程序放到谷歌的Play Store应用商店里时——明确在描述中说明了该程序有安全隐患——成功保持了好几个月。而谷歌的反恶意软件系统的扫描状态要么是相当糟糕的未扫描,要么是“更加糟糕”的已通过扫描!
在漏洞得到修复之前,最好不要图方便使用一键认证功能。也就是说,你应该在收到关于weblogin的任何请求时都选择“拒绝”。这很令人失望,但安全通常会带来不便,所以对于"一键完成"的功能以后都要小心。永远不要忘了,即使是谷歌的Play Store应用商店,也可能在背后觊觎你的密码。
该漏洞在二月份就已经报告给谷歌方面,但谷歌只进行了部分修复,例如通过Google Takeout可以获取全部的账户信息。但被盗取的令牌仍然可用于登录用户的Gmail邮箱,或者查看用户Google Drive里的内容。
(译者:高菲)
百度新闻与新华网国际频道合作稿件,转载请注明出处。
Android's One-Click Google Auth Is a Buffet for Hackers
If you've got an Android device, you've probably used Google's handy one-click authentication shortcut, that handy little button that lets you sign into various Google service sites without having to enter your password. It's super convenient! For you and for hackers.
Craig Young, a researcher at security firm Tripwire, did some digging into how the system really works, and turned up some scary details in a presentation at Def Con last week. The underlying system—called "weblogin"— works by creating a special token that identifies you to various Google services. But it can be stolen easily, and when it is, it'll work for just about anything.
Young created a proof-of-concept app that pretended to be for viewing stocks, while in actuality it would steal a user's Google Finance login token and test it against other Google services like Google Apps, Gmail, Drive, Calendar, Voice. And when Young put the app on the Play Store—clearly labeled in the description as dangerous—it persisted for months, either unscanned (bad) or scanned and OKed (worse!) by Google's anti-malware system: Bouncer.
The vulnerability was reported to Google back in February, but since then only parts of the breach have been fixed, like full rips of account information via Google Takeout. Stolen tokens are still plenty useful for rifling through someone's Gmail though, or checking out the contents of their Drive.
Until there's some sort of fix, it's probably wise to avoid one-click auth, convenience be damned. That means saying "no" if you get any permission requests that mention weblogin. It's a bummer, but good security usually makes for some inconvenience, so be wary of the one-click option, now and in general. And never, ever forget that even Play Store apps might be trying to eat your lunch.