Google Wallet Has Been Hacked – Two Vulnerabilities Discovered

The magic has been paused – Google Wallet which is an innovative way of payment technology from Google has been hacked today. Not with one vulnerability, but two.

The first hack is able to use brute-force attacks to reveal the Google Wallet PIN which keeps the application secure. The second hack allow access to Wallet app in your Android device and will add the ability to add the prepaid balance that is tied to the device.

 

Hacked Android 

To those who are hearing Google Wallet for the first time, it lets you digitize your credit cards and the ability to pay things using near-field communication (NFC) technology. It means, you can just touch your phone to an NFC device and the item you are buying is automatically charged to your account. Currently, only Google has implemented this technology with Google Wallet in its Android powered Nexus S 4G available on Sprint.

The first vulnerability which was discovered by Zvelo, reveals Google Wallet PIN in Android devices which are rooted. Wallet Cracker is a simple app developed by this team.

 

“The lynch-pin, however, was that within the PIN information section was a long integer “salt” and a SHA256 hex encoded string “hash”. Knowing that the PIN can only be a 4-digit numeric value, it dawned on us that a brute-force attack would only require calculating, at most, 10,000 SHA256 hashes. This is trivial even on a platform as limited as a smartphone. Proving this hypothesis took little time.”

 

Watch the video below for more details –

 

 

The second vulnerability which was discovered later today works on non-rooted devices as well and requires no special hacking skills. TheSmartPhoneChamp uploaded a video demo that shows this hack. This is quite simple than earlier one. Someone who found your stolen device can easily access your digital money (funds) by just clearing the Google Wallet app data. Once the new PIN has been entered, the intruder can add your Google Prepaid Card that is tied to the device and access available money.

Second hack demo –

 

 

Google has reportedly working on these two security flaws.