Some of you are aware that a security flaw was discovered yesterday in Google Android and more specifically in the Picasa application, using the calendar and contacts. For those who would be missed, this famous flaw is rather problematic since it may allow a third party to access the data contained in these different applications. As usual, Google has been quite responsive and the firm is currently deploying a patch to resolve the problem on the calendar and contacts.
Once identified, when the user accesses those services, the application performs a specific transaction based on an identification protocol and more specifically on an access token valid for 14 consecutive days. Why? Just to keep you from having to retype each time your username and password. Casually, when one consults several times a day his agenda or any other application is pretty handy.
Obviously, this transaction is expected to be made famous in "https" but just imagine that on Google Android (version 2.3.3 and below) , this is not the case. Basically, so if you log on an unsecured network, then just sniffing the latter to recover and get your token and impersonate you. Free to vicious attacker view your calendar, address phone number or address mail to all your contacts and even browse through your albums private (and necessarily very naughty) on Picasa. Not cool, we agree.
That said, Google does not hear it that way and the search giant is currently rolling out a fix for this nasty transaction can finally rely on the protocol "https". The only downside, this hotfix n is apparently valid for the calendar and contacts, which simply means it will wait a bit for that terrible fault to be corrected on Picasa. Note also that Google should also take the opportunity to reset all chips history that its users are protected.
Needless to say that many newspapers have immediately pointed the finger at Google. So sure, this security flaw, it's a bit of a big mistake, but the firm will of all-even reacts very swiftly
1 comments:
crétin
Post a Comment