-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GmsCore leaking Google account password on login #1567
Comments
Can confirm , it does this for me as well. |
Can confirm, research is being done to exploit. |
Pretty sus |
amogus sus |
Thanks @flawedworld for pointing out that this has been around for 7 years. GmsCore/play-services-core/src/main/java/org/microg/gms/auth/login/LoginActivity.java Line 445 in 96cfe2b
|
... as they said at Chernobyl: |
NSA connection confirmed. |
Just confirmed this for myself. This is a pretty serious bug, might want to get on this soon. |
I have ethics most could appropriate. However in 3 days, I've worked it out, without a CEH or any formal training. It's trivial so no need to release a white paper, or a whack-a-mole proof-of-concept, I've made my point; but who else, that isn't so forthcoming? My research makes no noteworthy revelations and wouldn't aid in the development of better security, thus I'll refrain. |
Hey guys, I have a workaround for everyone: don't give Also, if you think leaking the password to adb log is bad, I have even worse news for you. MicroG also sends your password over the internet, to a company known for making money off of users' data: Google! But seriously: yes, it's a bug, but it's not the end of the world. |
My method requires native exicution but requires no permission hence it would require creative deployment, many methods of which are well known. Your right dimaryaz, remote console is another angle, which could be mitigated with simple settings discipline. Sorry, the word choice is to obfuscate, I fear I spell out the obvious too much as is. Agreed, this is an important bug, and a seurity concern, but far from the end of the world. PCAP logs show that plain passwords aren't exposed so it seems it's local logs only. This without even peeling at code, but now I'm curious, thought I'll likely be quickly out of my depth. |
So... just to confirm, does it only post the account credentials to the log during the activity of actually adding a new google account to the device? That's the only time I saw it doing that. |
This is a highly nonsensical and unproductive comment. You're comparing something all protected by TLS to a password being stored and logged in plain text, not hashed or anything. ADB is not required to get logs from logcat either. Selecting the bug report option in Developer Options will dump logs. Edit: There is also a READ_LOGS permission for apps to read logs. This is not strictly an ADB issue. |
Zanthed, you just broke my exploit, I hadn't tested without bug report turned on. It seems without adb, root, bug reports, or extremely old systems (Android 4.1 or older) I can't get logs from another app. So unless someone has something more cleaver than I, it seems being mindful of your settings is sufficient to protect non rooted users. For rooted users; I'm not sure, I don't have a device I'm willing to wipe to test Terminator-J's method, however I'm investigating the viability of it. [EDIT: I just triggered a permissions dialogue. Selecting 'Allow' fixes my exploit but it's very blantant that wack-a-mole is accessing logs from other apps so...] |
I am not sure what you are saying. You are literally using a Google account, Google has control over your Google account. It's not "bad" or "good". It's just how it is. It doesn't matter if MicroG sends your Google account password to Google or not, so long as its encrypted during transport. Storing passwords in plain text in any form, waiting to be extracted, is a big issue however. |
Lol they were joking becuase they said but seriously |
This isn't the place for jokes. Not productive at all. |
Regarding the
The only risk that I personally can see here is that the password is accidentally sent to a vendor through a custom bug report feature, or using the system Bug Report feature to whomever the report is sent. |
Apps aren't supposed to log sensitive data to the system logs primarily due to them often being shared as part of OS bug reports. Many operating systems have a feature for submitting bug report zips which include the system logs. It's a minor issue especially relative to much more serious problems that are present. Should worry about properly enforcing the Play services API security model and transport security rather than this. READ_LOGS is |
Doesn't fix the root of the problem, but it works (kinda)... |
Issue: microg#1567 Change-Id: I6a27926e41957443e040f8a737425d7be1ca97b3
Issue: microg#1567 Change-Id: I6a27926e41957443e040f8a737425d7be1ca97b3
Describe the bug
On login, there are logs with D tag from
GmsAuthLoginBrowser
shows my Google account mail address and password. It even shows up when adb is run without root, which is not good for security.Steps to reproduce the behavior:
adb logcat | grep GmsAuthLoginBrowser
Expected behavior
No passwords should be shown in logcat.
System
Android Version: R
Custom ROM: CAOS v313
Additional context
If you have 2FA enabled (SMS code, call, etc) it will show the code too.
09-19 07:55:44.497 6278 6464 D GmsAuthLoginBrowser: JSBridge: getDroidGuardResult: ["nullnull4null9nullnullnullnullnullnullnullnull239405null2"]
The login code was
239405
The text was updated successfully, but these errors were encountered: