Pin It
Pages Menu
TwitterRssFacebook
Categories Menu

Posted by on Feb 15, 2012 in Hacking, Infosec | 0 comments

Google Wallet’s Bruteforce vulnerability still at large,Google in a fix without a fix

Security researchers at zelvo have discovered a vulnerability in Google Wallet application in Android which could allow the user’s PIN to be revealed and the attacker could easily spend the prepaid balance of the victim.

The Google wallet application served as a cashless alternative to carrying around a real wallet or credit card. It was accepted by major merchants and was supported by major banks.

The security researchers have found from the open-source Android codes of the google wallet application, unique user IDs, Google account information and the PIN stored as a SHA256 hex encoded string. So the researchers made a fairly simple brute-force program involving maximum of 10,000 calculations to solve the 4-digit PIN required to use the google wallet application.

zelvo has also made an android application called wallet cracker to prove their finding, the trivial application when used gives the PIN of the installed google wallet application. It can be viewed in the video below.

 
Google’s response to it,
 
Google acknowledged the presence of the vulnerability, it maintained that it has fixed other vulnerabilities involving its wallet application yet the issue with brute-force attack remains at large and it affects the users who use rooted android devices. It strongly advices against usage to google wallet application on rooted android devices.
Zelvo advices the android users from rooting their devices, to enable lock screen, disable USB debugging, enable full disk encryption and to keep the handset up to date.
source: engadget
The following two tabs change content below.
Indiandragon though Developer, Hacker and Researcher by profession, he aslo writes on Movies, Sports and Entertainment in News@Indiandragon. He specialises in Technology, Defence and Information Security.