Google Wallet contains a vulnerability on rooted devices. An attacker who has a rooted smartphone, you can easily to the encryption of the pin using a brute force attack to find out.
The vulnerability is revealed by security firm Zvelo, following a report by Via Forensics on the possible risks of Google Wallet. On an Android smartphone with the Google Wallet app, the pin code when sha256 hash is saved. Despite the use of a salt is to find out the code is easy: because a pin of four digits, there are only 10,000 hashes as possible, allowing the extraction of the pin through a brute force attack is simple.
A pin may be with Google Wallet up to five times incorrectly entered, then blocks the app itself. This security measure is completely circumvented by the correct combination of numbers to scam, writes Zvelo. That can by generated hashes, piece by piece, to compare with the hash of the Wallet pin code: a root is the device that hash to read. The generated hash and the Wallet hash eventually match, then the pin obsolete.
Google has been notified of the vulnerability, but says that, after investigation, to have little to do. The only real solution would be to use the pin verification in the banks to put down, making the security of the Wallet system drastically needs to be changed.
However, the impact of the leak is limited. So, the Android device is rooted, because by default, it runs Android apps in a sandbox. Also, an attacker must make use of the device and the owner of the smartphone must also have no lock-screen-security set. Currently support only Google’s own Nexus and Galaxy Nexus the Wallet service.
