Varutra revealed an issue in the text message notification implementation of Google’s Android operating system which may lead to compromise of user’s Google account, associated with the mobile number of an Android device.
Varutra research team “KALP@Varutra” discovered that, by default, the contents of text messages (SMS) received are displayed on the notification area of the device even if the device is in locked mode. To reset the Google account password, Google sends a verification code on a text message to the mobile device of the user. In case of an Android device, this verification code can be read from the notification area, and thus be used to reset the victim’s account credentials. The only pre-requisite for such an act to be successful is for the malicious user to know the victim’s Gmail ID where victim has set his android phone number with the target Android device.
Consider a scenario where in, a malicious user wants to compromise the victim’s Google account and has visibility to the victim’s mobile screen:
- Attacker accesses the Google account page and clicks on “Can’t access your account?”
- On the “Having trouble signing in?” page, he opts for “I don’t know my password” and puts victim’s Gmail ID in the “Email address” field
- For account recovery options, he/she opts to receive verification code on the pre-registered mobile number and submits the request after entering the victim’s mobile number
- As a result, a verification code is received as a text message on the victims mobile and the attacker can read it on the notification area of the Android screen.
- Attacker submits the verification code and resets the password of Victim’s Google account The severity of this issue escalates by the fact that the Google’s verification code comprises of only 6 digit numeric value, which is easy to read and memorize. The same valid code can be resent to the device up to 5 times.
As per security best practices, the verification code must meet the necessary complexity requirements of being more than 8 digit alphanumeric code, making it difficult to memorize. Also, it should be made random i.e. should change on every new request.
The issue was tested and found to be affecting Android version prior to 4.0.