Security flaw identified in Google Wallet

February 10, 2012

Security researchers have uncovered a method of cracking Google Wallets PIN security in just a matter of seconds. The Google Wallet application stores a hash of the PIN, which allowed them to create a matching PIN simply by hashing all 10,000 possible numbers which only took a few seconds. Closer examination of the per-app DB, the metadata table contained three rows with some data in each.

An encrypted file system named id ‘gmad_bytes_are_fun’ was present in the metatable – but why store in the metatable? We are not sure as this encrypted file should have resided in the Secure Element (SE). Some of the data needed parsing but given this was compiled using Google’s own “Protocol Buffers” it wasn’t long before the researchers could uncover the contents of the binary data which included the UUID, GAIA, C2DM, Google Wallet Setup status, TSA, Secure Element (SE) status and most scary of all – the ‘Card Production Lifecycle’ (CPLC).Comments

Tagged with:

Leave a Comment

Please keep in mind that comments are moderated and rel="nofollow" is in use. So, please do not use a spammy keyword or a domain as your name, or it will be deleted. Let us have a personal and meaningful conversation instead.

You must be logged in to post a comment.

IT MAGAZINES: Hakin9 Magazine | Pentest Magazine | eForensics Magazine | Software Developer's Journal | Hadoop Magazine | Java Magazine
IT Blogs: Hakin9 Magazine Blog | Pentest Magazine Blog | eForensics Magazine Blog | Software Developer's Journal Blog | Hadoop Magazine Blog | Java Magazine Blog
IT ONLINE COURSES: Pentest Laboratory
JOB OFFERS FOR IT SPECIALIST: Jobs on Hakin9 Magazine | Jobs on Pentest Magazine | Jobs on eForensics Magazine | Jobs on Software Developer's Journal | Jobs on Java Magazine | Jobs on Hadoop Magazine
Hakin9 Media Sp. z o.o. Sp. komandytowa ul. Postępu 17D, 02-676 Warszawa