The latest Google Wallet hack is the first to impact users of stock Android phones and allows anyone who obtains a lost or stolen device which does not have a screen lock set up to gain access to and spend the owner's prepaid card balance.
A new Google Wallet hack, the second to emerge this week, has been discovered. The latest exploit is the first to have an impact on all Google Wallet users, rather than only those who have rooted their phone, and was uncovered by a member of the XDA Developers forum in December and reported this week by The Smartphone Champ. The site explains the hack as follows:
The security flaw is painfully easy to do and requires no extra software nor does it require root. All a person who wants to access your Google Wallet has to do is go into the application settings menu and clear the data for the Google Wallet app. After doing that your Google Wallet app will be reset and will prompt for you to set a new pin the next time you open it. The problem here is that since Google Wallet is tied to the device itself and not tied to your Google account, that once they set the new pin and log into the app, when they add the Google prepaid card it will add the card that is tied to that device. In other words, they'd be able to add your card and have full access to your funds.
The Smartphone Champ has also produced a video showing the hack in action:
Setting up a PIN-protected screen lock should prevent anyone from carrying out the exploit, as Google points out in an official response:
We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card. We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.
The discoverer, Evangelion01, notes on XDA Developers that Google was informed of the problem on 27 December.
The hack is the latest in a series of attempts to crack the internet giant's NFC mobile wallet application. Yesterday, Zvelo engineer Joshua Rubin released details of a security vulnerability in rooted Android phones running Google Wallet that exposes the four digit PIN used to protect access to the application. In October, a team of developers found a way to add Google Wallet to unsupported Google Nexus devices and, in December, digital forensics firm ViaForensics found that a "significant" amount of data was stored unencrypted within Google Wallet.
All the vulnerabilities reported so far are specifically related to the way in which Google Wallet is implemented. None involve the NFC aspect of the product or have compromised in any way the security of the core NFC secure element chip which is used to store users' personal data.