A new and troubling, vulnerability in Google Wallet has been exposed. Unlike a low-risk security issue identified yesterday, today’s security flaw is described as painfully easy.
Security firm Zvelo yesterday discovered a vulnerability in Google Wallet, Google’s NFC payment system, that allows anyone holding an already-rooted smartphone running Google Wallet to access the Google Wallet PIN.
Such a vulnerability allows a hacker to use a Google Wallet-enabled smartphone to maker purchases using the credit card information tied to the NFC chip. However, Google points out that this is a low-risk situation, because it only works if the smartphone has already been rooted (by the owner), and credit card information, while useable, is still secure.
Easy Exploit
Today’s more serious glitch is described by smartphone blog The Smartphone Champ, which describes a security flaw in Google Wallet that is “painfully easy to do,” requires no extra software (unlike the Zvelo flaw), and does not require a rooted device.
Basically, the problem stems from the fact that credit card data is tied to the device, not a person’s Google account. So anyone holding a Google Wallet-enabled phone can change the Google Wallet PIN by going into the application settings menu and clearing the data for the Google Wallet app. Once this is done, the Google Wallet app will prompt the user/hacker for a new PIN.
Because the card data is tied to the device, when the user/hacker adds the Google prepaid card to the Google Wallet app after resetting the data, the old card data will be added to the app. So the user/hacker will now be able to access the card’s funds — although it should be noted that the credit card data will still be secure (but does it really matter if it’s secure when someone else can access your funds?).
Here’s a demonstration of the vulnerability:
This vulnerability is a much bigger deal than the Zvelo one, because it’s easy to perform (the Zvelo vulnerability required a modicum of hacking knowledge to crack), and it can be performed on any device–rooted or not.
Google’s Advice
Google has noted the security flaw and tells PCWorld that it’s currently working on an automated fix that will be available soon. Meanwhile, Google recommends that all Google Wallet users set up a lock screen as an additional layer of protection for their phone.
Google also strongly encourages users who lose or want to sell their Google Wallet-enabled phones call the Google Wallet support (toll-free) number, 855-492-5538, to disable the prepaid card.
Follow Sarah on Twitter, Facebook, or Google+, and and Today @ PCWorld on Twitter.