US SECURITY RESEARCHERS have found out how to hack
Gmail with up to 92 percent success across the Android, Windows and iOS
operating systems due to a vulnerability.
The flaw was uncovered by experts at the University of California Riverside Bourns College of Engineering and the University of Michigan, who identified a weakness believed to exist in the app on all major operating systems. They said that the vulnerability could allow attackers to steal users' sensitive data.
The findings will be presented at the USENIX Security Symposium in San Diego on 22 August in a report entitled "Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks". Although it was tested on only an Android phone, the team believes that the method could be used across all three operating systems because the apps on all of the operating systems can access a mobile device's shared memory.
"The assumption has always been that these apps can't interfere with each other easily," said associate professor at UC Riverside Zhiyun Qian. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."
The paper explains how the attack works through giving the example of a user downloading what he or she believes is a "harmless application". Once that was installed, the researchers said that they were able to exploit a public side channel and the shared memory of a process, which can be accessed without permissions or app privileges.
Changes within the shared memory are then monitored, and these changes are correlated with what the team calls an "activity transition event". So when a user is actively using an app to log into Gmail, for example, or take a picture of a cheque so it can be deposited online at a bank, activity changes are noted.
The cyber researchers said the method used to exploit the flaw in Gmail was successful "between 82 percent and 92 percent of the time" on six of the seven apps tested. Other apps hacked included H&R Block, Newegg, WebMD, Chase Bank, Hotels.com and Amazon. The researchers said that the Amazon app was the hardest to access, with a 48 percent success rate.
Google has welcomed the research, saying, "Third-party research is one of the ways Android is made stronger and more secure."
In July, Lacoon Mobile Security warned that users accessing Gmail on iOS devices could be at risk of having their data stolen.
The security firm said that the vulnerability was made possible by Google's failure to implement technology to prevent attackers from viewing and modifying encrypted communications exchanged with the internet search giant.
The flaw was uncovered by experts at the University of California Riverside Bourns College of Engineering and the University of Michigan, who identified a weakness believed to exist in the app on all major operating systems. They said that the vulnerability could allow attackers to steal users' sensitive data.
The findings will be presented at the USENIX Security Symposium in San Diego on 22 August in a report entitled "Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks". Although it was tested on only an Android phone, the team believes that the method could be used across all three operating systems because the apps on all of the operating systems can access a mobile device's shared memory.
"The assumption has always been that these apps can't interfere with each other easily," said associate professor at UC Riverside Zhiyun Qian. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."
The paper explains how the attack works through giving the example of a user downloading what he or she believes is a "harmless application". Once that was installed, the researchers said that they were able to exploit a public side channel and the shared memory of a process, which can be accessed without permissions or app privileges.
Changes within the shared memory are then monitored, and these changes are correlated with what the team calls an "activity transition event". So when a user is actively using an app to log into Gmail, for example, or take a picture of a cheque so it can be deposited online at a bank, activity changes are noted.
The cyber researchers said the method used to exploit the flaw in Gmail was successful "between 82 percent and 92 percent of the time" on six of the seven apps tested. Other apps hacked included H&R Block, Newegg, WebMD, Chase Bank, Hotels.com and Amazon. The researchers said that the Amazon app was the hardest to access, with a 48 percent success rate.
Google has welcomed the research, saying, "Third-party research is one of the ways Android is made stronger and more secure."
In July, Lacoon Mobile Security warned that users accessing Gmail on iOS devices could be at risk of having their data stolen.
The security firm said that the vulnerability was made possible by Google's failure to implement technology to prevent attackers from viewing and modifying encrypted communications exchanged with the internet search giant.
0 comments:
Post a Comment