On Monday, 6 April 2015 10:15:14 UTC+1, Jeffrey Walton wrote: > > On Mon, Apr 6, 2015 at 5:10 AM, Gareth Davies <gruf...@gmail.com > <javascript:>> wrote: > > If anyone interested in Google's server side Android sign in security is > > reading this forum, would they please look in to this problem. > > https://code.google.com/p/android/issues/ > > Or maybe send an email to secu...@google.com <javascript:> since its a > Google > Accounts problem (and not a AOSP problem per se). > > Or submit them to both places so one hand knows what the other is doing. >
Thank you. I will do. This is a big issue because it suggests that a third party site is able to authenticate a login using a Google server token without any user involvement beyond an initial TOS and privacy agreement. Nowhere in the Google list of approved apps, services or sites does Mightytext appear and it also survives a factory reset of all the Android devices that have been used to access the service. I requested the third party service to delete my account which, of course, only deletes the data they hold. It does not delete the login token which, presumably, still exists. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. To post to this group, send email to android-security-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
