Attacking Google Accounts with 'weblogin:' Tokens

[Craig Young <vuln-report () secur3 us>]

For those who missed it, I would like to spread awareness about how
conveniences built into the Google eco-system can allow an
application, a physical user, or a forensics expert to access almost
everything in your Google account.

[LINKS]
A nice summary from Lucian Constantine:
http://www.pcworld.com/article/2045903/android-oneclick-google-authentication-method-puts-users-businesses-at-risk.html

Intro Blog: 
http://www.tripwire.com/state-of-security/off-topic/defcon-sneak-peek-how-risky-is-google-apps-for-your-business/
DEF CON 21 slides are here: http://secur3.us/DC21Slides.pdf
Brief Demo Recording: http://secur3.us/DC21-ShortDemo.mp4
Android PoC here: http://secur3.us/DC21-PoC.apk
PoC Source here: http://secur3.us/DC21-PoC.java

Please note that the app will send your token to my server. I am not
doing anything with them but it will log your account names on my
server.  I would like to encourage all Android AV vendors to strive to
block not just this app but any app which is sending tokens off the
device.  I am also recommending that any Google Apps administrator
accounts should not be used with Android devices -- you wouldn't
browse web sites and run untrusted code as root, would you?  (i.e.
follow the principle of least permission)

My proof of concept used Android with AccountManager API calls but
this threat extends beyond Android and likely onto anything which will
run Chrome.  For example, iPhone/iPad support the same feature I am
abusing according to Google:
http://www.google.com/intl/en/chrome/browser/mobile/ios.html and
Mac/PC Chrome also definitely supports this as outlined by Duo
Security's recent blog post:
https://blog.duosecurity.com/2013/08/beyond-google-application-specific-password-exploiting-google-chromes-stored-oauth2-tokens/

Thanks,
Craig Young
Senior Security Researcher, Tripwire VERT
Follow: @CraigTweets