Experts from Zvelo Labs found a vulnerability in Google Wallet

The payment system from Google is one of the youngest - and it is clear that this “fresh” service still needs to be smoothed and corrected found flaws. Recently, experts from Zvelo Labs in the face of Joshua Rubin published information about the found critical vulnerability of Google Wallet. A team from Zvelo Labs not only found the vulnerability, but also wrote a special software to exploit this "hole." Software for Google Wallet allows you to quickly find out the PIN of the account holder of this payment system.

True, this requires physical access to a mobile device with an installed payment system application. However, this is not such a problem - if necessary, attackers can easily calculate those mobile device owners who have a mobile device with Google Wallet, and steal these devices. "Masters", which all this can turn, enough. Yes, and lost phones can also serve as a source of income for the attacker.
')
Now an expert from Zvelo Labs says that the developers at Google have already been informed about this vulnerability, and are trying to close the hole as soon as possible. Joshua Rubin, who discovered the vulnerability, says that the application he wrote allows you to easily find out the PIN of the payment system user from the second attempt (there are five attempts to enter the correct PIN). The good news is that remotely finding the PIN does not work, you only need physical access to the device, as mentioned above.

Interestingly, information about another vulnerability was recently published that allowed access to the wallet by clearing data from the phone. As a result, the deceived program does the "first run" in the initial configuration. All this allows an attacker to easily use Google Wallet on someone else's phone.

Below you can see a demonstration of the principle of the second vulnerability.



Via h-online + economictimes