Another Google Wallet vulnerability has been discovered. After a brute force method was found to be able to retrieve the Google Wallet pin number on rooted phones which have been lost and don’t have any security features to keep people out of the phone, another vulnerability has been discovered.
Unlike the other, this one doesn’t require root. It still does require your attacker to have your phone and bypass any security you setup, though. A user with your phone could simply clear Google Wallet’s application data. Upon doing this, a pin number is requested when you first launch the application.
The attacker can put his own pin in and gain access to the application. The only thing they’d be able to access are your Google Wallet Prepaid card. Any other credit cards tied to your account are removed upon clearing data.
We’re not too sure how many people actually use this particular feature but we imagine those who do only add funds as they need them and don’t use it to house their entire life savings. It’s still a vulnerability, though, and needs to be addressed.
Google could simply implement the PIN system on their server and request the pin even if a phone has been factory reset. They’d simply ask you to sign into your Google account and verify the PIN that is tied to that account for Google Wallet before allowing the user access. Even the freshest of installs couldn’t bypass that.
We’re not sure what Google will be doing about this particular flaw but we’d hope that the above idea is tops on their list. It’s probably a good idea to setup a password on your phone and not lose that phone. Beyond that, simply don’t keep funds inside your virtual prepaid card. [via Droid-Life]