Google has announced today that it is currently fixing an Android security flaw that was brought to the public’s attention last week by German researchers.
The group explained on Friday that some Google account authentication tokens were apparently being sent OTA unencrypted, leaving users with their data freely available if they were on public Wi-Fi.
Hackers using simple software could steal account info for Google Calendar, Contacts and Picasa accounts.
Users with Android 2.3.4 are free of the issue, but 98.4 percent of Android devices run Android 2.3.3 or lower, making the fix useless for the vast majority.
Google has begun rolling out the server-side patch this week for Android 1.5 - 2.3.3, and it will be completed by the end of the week.
Says Google, via CW:
Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.
Result for: circumstances
Back in January, we reported that Canonical, the group behind Ubuntu Lucid releases, had made a deal with Yahoo to make Yahoo the default Firefox search engine instead of Google.
Today, Canonical has done an about-face, announcing they are switching back to Google with the release of Ubuntu 10.04.
Says Rick Spencer, of Canonical: “However, for the final release, we will use Google as the default provider. I have asked the Ubuntu Desktop team to change the default back to Google as soon as reasonably possible, but certainly by final freeze on April 15th. It was not our intention to “flap” between providers, but the underlying circumstances can change unpredictably. In this case, choosing Google will be familiar to everybody upgrading from 9.10 to 10.04 and the change will only be visible to those who have been part of the development cycle for 10.04.”
Result for: circumstances
Twitter director of Trust and Safety Del Harvey has posted today that it will be forcing a number of users to change their passwords this week after it was discovered that hackers had used torrent sites to steal access to user’s data.
“As part of our ongoing efforts to monitor our user base for odd activity, we noticed a sudden surge in followers for a couple of accounts in the last five days. Given the circumstances surrounding this we felt it was best to push out a password reset to accounts that were following these suspicious users,” said Harvey.
It is unclear how many users are affected.
The details were stolen from third-party torrent sites that require logins. Because many users use the same information for multiple sites, the hackers used the torrent site logins for Twitter as well.
“As a general rule, if you signed up for a torrent forum or torrent site built by a third party, you should probably change your password there,” adds Harvey. “The takeaway from this is that people are continuing to use the same email address and password (or variant) on multiple sites. We strongly suggest that you use different passwords for each service you sign up for.”
