Early this morning security frim Zvelo revealed a hack for Google Wallet that exposed a user’s PIN. Fortunately this vulnerability only affected rooted phones, as Google was quick to point out to The Next Web. Now a second hack has been posted online that works on non-rooted devices and requires no special hacking skills.
Mobile blog TheSmartphoneChamp uploaded a video to YouTube that demonstrates the vulnerability. All someone has to do to access your funds is clear the data in app settings, which will force Google Wallet to prompt them to enter a new PIN. Once the new PIN has been entered, they can add a Google Prepaid Card that is tied to the device and access any available funds.
It sound almost too simple to be true, but I tested it on my Galaxy Nexus with the latest official version of Google Wallet and it works like a charm. We expect Google will be releasing an update shortly to address both issues.
As a reminder, if you want to protect you Android phone it is best to setup the lock screen and install a tracking software like Lookout in case you ever lose your device.
Update: Google has provided us with the following statement: “We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card. We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.”