Building on mounting privacy concerns, it was revealed earlier this week that running an Android device on an unsecured Wi-Fi network, such as the ones you might find at a coffee shop, made it easy for others to steal Google calendar, contacts and other important data on the device.
Ulm University, in Germany, tested out the attack and detailed the results in a blog post:
"We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis. The short answer is: Yes, it is possible, and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs."
Luckily this is a problem that can easily be addressed, and has been, because it requires a server-side fix rather than a device-side solution. Computerworld reported today that Google is rolling out the fix. The official statement from Google said:
"Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days."