A loophole in Android TV OS left a backdoor open for users to access a TV owner’s Gmail inbox among other things, but Google is rolling out a fix, and the company has now confirmed what that fix is.
Android TV OS, like Android on your phone, signs into a Google account at the system level. This allows certain apps, like Google Chrome, to sign into that Google account without requiring a password. That’s by design and generally not a problem as smartphones and tablets typically have a PIN, password, or biometrics protecting the apps on your device.
That is not the case with Android TV and Google TV, though.
It was first pointed out earlier this year and then highlighted in a report this week that malicious actors could, in theory, sideload Google Chrome onto an Android TV OS device and then use that to access the Google account of the TV’s owner. It’s not so much a security exploit, but a loophole that’s not super difficult to pull off, as long as you know how to access an APK and sideload the app.
Google, in a statement to 404 Media, had already confirmed that a fix was rolling out to Google TV and Android TV to fix the problem, but hadn’t detailed what that fix was.
Most Google TV devices running the latest versions of software already do not allow this depicted behavior. We are in the process of rolling out a fix to the rest of devices.
Speaking to 9to5Google, the company offered a bit more context.
Going forward on Google TV and Android TV, sideloading Google Chrome will no longer automatically use the login token for the Google account when accessing Gmail or Google Drive on the device.
So, while that likely won’t prevent all means of account access through the unlocked TV, it should go a very long way in preventing access to an account’s most sensitive data.
Google added (after this post was published) that the update is rolling out via an app update, so older devices will be getting the change, too.
More on Android TV:
Google confirms Wear OS 5 and Android TV updates are coming, more at I/O
Can you turn off YouTube’s invasive new TV screensaver?
It’s gotten way easier to buy a spare remote for Google TV, but you should be wary
Follow Ben: Twitter/X, Threads, and Instagram
FTC: We use income earning auto affiliate links. More.
>>> Read full article>>>
Copyright for syndicated content belongs to the linked Source : 9to5google.com – https://9to5google.com/2024/04/26/google-android-tv-account-security-loophole-fix/