Researchers at Germany's University of Ulm claim that 99 percent of Android devices are vulnerable to attack when they're used to log into a site on an unsecured Wi-Fi network.
The researchers said that devices running on Android 2.3.3 or older are vulnerable because of a faulty ClientLogin authentication protocol. ClientLogin is "meant to be used for authentication by installed applications and Android apps," the report said. "Basically, to use ClientLogin, an application needs to request an authentication (authToken) from the Google service by passing an account name and password via an https connection."
That means when a user logs into sites like Facebook, Twitter or Google Calendar, the information is saved for up to 14 days. As such, attackers can use that information to access their accounts.
In response, Google (NASDAQ:GOOG) said it will change the way its Android services work to ensure the information isn't vulnerable when a user connects to an open Wi-Fi network.
"Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts," Google said in a statement. "This fix requires no action from users and will roll out globally over the next few days."
Google pushing Android security update post-malware attack
Google nukes dozens of Android apps after malware scare
Google activates Android Market app kill switch
Google yanks PhoneFusion app from Android Market
Banned Kongregate Arcade app returns to Android Market
Google extends Android Market to the web
Google 'not happy' with Android Market app sales