Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Works to Fix Security Concerns Surrounding Google Wallet

Over the weekend, Google addressed two separate security issues within Google Wallet, one which takes some skill and knowledge to exploit, and one that anyone searching the lost and found box can exploit – assuming they are aware of it.

Over the weekend, Google addressed two separate security issues within Google Wallet, one which takes some skill and knowledge to exploit, and one that anyone searching the lost and found box can exploit – assuming they are aware of it.

Google Wallet Security VulnerabilityThe first issue, discovered by researchers at the security firm zvelo, allowed them to discover the Google Wallet PIN, after brute forcing the application’s SQLite database. In order for this trick to work, the device must first be rooted, and after that, the cracking application must have the UID matched to the UID of Google Wallet or 0, something that zvelo did not mention in their report.

“zvelo feels that the fact that this attack requires root permissions does not in the least bit diminish the risk it imposes on users of Google Wallet. Our reasoning is simple: Presently, the PIN is easily revealed, but with the proper fix in place, the PIN will be nearly impossible to crack. It is as simple as that,” the company said in their initial report.

When asked about the vulnerability, Google pointed out something many of those who take pride in their rooting skills noticed immediately, namely that in order for it to work, the device had to have been rooted, and its security stripped. “The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device,” a Google spokesperson told SecurityWeek via email.

In addition, the spokesperson noted that to date, there are no known methods available to take a consumer phone and gain root access, while preserving any Wallet information – including the PIN.

“We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.”

The second vulnerability concern deals with unauthorized access to a device. Anyone who does not lock their screen, and happens to have their Google Wallet-enabled smartphone fall into someone else’s hands, could not only lose the hardware itself, but all of the money associated with the Wallet account.

This is because the Google Wallet information, such as balance, is linked to the device itself, and not a person’s Google account. In order for it to work, all an unauthorized user needs to do is reset the Wallet settings in the application’s menu. Once that is done, they’ll be prompted to enter a new PIN, which would enable them to access the funds associated with the device itself.

Google is aware of the issue and working to fix it. In the meantime, in addition to not rooting the device itself, the use of screen locks is a highly – they are willing to beg here – encouraged act.

“…to address an issue that could have allowed unauthorized use of an existing prepaid card balance if someone recovered a lost phone without a screen lock…we temporarily disabled provisioning of prepaid cards. We took this step as a precaution until we issue a permanent fix soon,” said Osama Bedier, the VP of Google Wallet and Payments.

Moreover, if you are a Wallet customer, and you happen to have your device stolen or you lose it, you can protect yourself by reporting this fact to Google Wallet Support at 855-492-5538.

Related: Unencrypted Data Weakens Google Wallet (For Now)

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Chinese tech giant Huawei patched nearly 300 vulnerabilities in its HarmonyOS operating system in 2022.