The second issue identified was not new, and it couldn’t even be considered a hack. According to Android Central, if someone physically gained access to a Nexus phone and wiped the app data on Google Wallet, the next time the program was launched, it would require the user to enter a new PIN.
This could have allowed the thief to access the Google Wallet prepaid card and transfer its balance.
After the flaw started making headlines, Google decided to temporarily disable the provisioning of prepaid cards as a precaution until the issue was fixed. Yesterday, February 14, Google made an update to the original message, announcing that the ability to issue new prepaid cards to the Wallet has been restored.
“In addition, we issued a fix that prevents an existing prepaid card from being re-provisioned to another user. While we’re not aware of any abuse of prepaid cards or the Wallet PIN resulting from these recent reports, we took this step as a precaution to ensure the security of our Wallet customers,” said Osama Bedier, vice president of Google Wallet and Payments.
While this issue was swiftly addressed, the brute-force attacks demonstrated by zvelo are still not considered to be a real threat, mainly because the attack method works only on rooted phones.
However, zvelo supports its initial argument that the problem is a cause for concern among average consumers. They suggest that if the phone is stolen, the crook can take his time and root the device before brute-forcing the PIN.
The bottom line is that even though there haven’t been any known situations in which the vulnerabilities were exploited, it’s always good to be aware. Also, this should act as a warning signal for developers who should make sure that sensitive data is always stored in places that are secure, whether or not the device is rooted.