I was just told this morning during an early morning coffee with a friend about a new vulnerability found in Google Wallet. I was going to try to find information on it at work but it was not necessary. It was highlighted in the daily news digest of the industry that we get. Everyone out there is talking about an unbelievably simple and, in my most humble opinion, absurd vulnerability in Google Wallet.

The presented threat does not even require hacking skills or complex tools. You just need somebody else’s phone – either second hand bought or stolen/”found” -. Apparently, the way Google Wallet works is such that the system gets synched with your device – the phone – instead of your Google Account. Despite there is a PIN to add an extra layer of security, if somebody erases all the data of the Wallet app and runs it again, it asks for a new PIN and allows you to use the Google Wallet Account and funds the previous user/owner had. Just as simple as that.

Google has acknowledged the threat and are offering a quick initial fix, consisting on providing a phone number to call to cancel the account linking for people who lost their phone or wants to sell it. They are also working on an automatic fix to happen with an update of the app.

Read about this incident on the NYTimes, Electronista, TechCrunch and The Smartphone Champ.

Advertisements