The private data of 500 million Android phone and social networking site users may have been stolen by hackers without their knowledge, say engineering professors at the Chinese University of Hong Kong.
Security loopholes in Android devices and social media were recently discovered by research teams at the department of information engineering.
Professor Zhang Kehuan and his research team discovered a serious vulnerability in the Android built-in voice assistant module though which an attacker can steal a user’s personal data including calendar, voicemails and location.
He can even access the hacked device by remote control, sending e-mails and messages on behalf of the user without permission.
Loopholes in Android smartphones could see the personal data of up to 500 million users hacked and leaked.
Zhang said the team had reported the vulnerability and the corresponding attack schemes to the Google Security Team and the problem has been partly fixed in the subsequent versions of Google Voice Search.
“We suggest that smartphone users consider applications provided by the official stores only and not to install applications from untrusted sources,” Zhang added.
Lau Wing-cheong, associate professor of the department, and his team have found security problems with the design, implementation and practical deployment of the Open Authentication, or OAuth, protocol, which many online social networks have adopted.
Lau has discovered that hackers can disguise as applications and obtain tokens from social networking sites, which can be used to gather personal information or any data that an internet user shares on his social media page.
Lau said his team’s findings showed an urgent need for industrial practitioners to review their OAuth system design to protect users’ privacy.
“We have informed all the affected online social network providers and proposed solutions that can be readily deployed,” he said.
However, he said internet users can hardly protect themselves from privacy leaks because the problems lie with the network service providers and their system designs.
“But I recommend internet users not to authorize any third- party application on social media sites,” Lau said.