A trio of German security researchers from the University of Ulm have looked into the question of whether “it was possible to launch an impersonation attack against Google services and started our own analysis. The short answer is: Yes, it is possible, and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs (application programming interface).” In other words: We are so hosed.
The problem is in the way that applications which deal with Google services request authentication tokens . These tokens are sometimes not even encrypted themselves and are good, in some cases, for up to two weeks. All a hacker has to do is grab these off an open Wi-Fi connection and you have the “key” to someone’s Gmail account, their Google calendar, or what have you.
It’s not just limited to Android apps though. The researchers also report that “this vulnerability is not limited to standard Android apps but pertains to any Android apps and also desktop applications that make use of Google services via the ClientLogin protocol over HTTP rather than HTTPS.”
Grabbing this information off the air is trivial. While it’s not as easy as using Firesheep to hi-jack a Web session, anyone with a lick of hacking talent and a network protocol analyzer such as WireShark can grab your tokens. With those in hand they can then change your Google passwords or do anything else they want with your various Google accounts.