Google Wallet's default security mechanism suffers from a serious vulnerability that could result in hackers getting access to virtually everything that have been stored by a user in his/her digital wallet including transaction history and credit card details in a ‘rooted' device, revealed a security researcher.
Joshua Rubin - the researcher behind this discovery, explained about the vulnerability in a blog post and posted a video (below) to demonstrate the hack. According to Rubin the glitch affects Google Wallet's four digit PIN which is required by users for accessing the data in his/her wallet.
Google Wallet allows users to use their Near Field Communication (NFC) devices to pay for items purchased in store by just waving their device at the point-of-sale terminal. NFC uses what is called the Secure Element (SE) to secure the transactions.
The researchers at zvelo utilised their security expertise and managed to get hold of the data that is encrypted via this SE on one of their ‘rooted' devices. Once they had access to that and had applied their deciphering capabilities, the researchers were able to get hold of tons and tons of secret information including the PIN information.
Google in response to the findings has said that this particular vulnerability is only exploitable in rooted devices which otherwise have their security disabled. "The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN", notes c|net.