The Google Admin application – which allows users to manage their Google for Work accounts from their Android devices – contains an unpatched vulnerability that can be exploited to read data from any file within the Google Admin sandbox.
The vulnerability – identified by security researchers with MWR Labs and deemed medium in severity – impacts Google Admin version 2014101605 and lower, Rob Miller, senior security researcher with MWR InfoSecurity, indicated in an advisory published on Thursday.
“The vulnerability discovered allows other applications on the same phone as a Google Admin app to read credentials from the Admin app, potentially letting [a] malicious app perform actions on the Gmail for work accounts using these credentials, without any interaction from the user,” Miller told SCMagazine.com in a Friday email correspondence.
Miller explained that a file containing a token plays into the threat.
View full story