Recent Google Wallet vulnerability could expose credit card information

What you need to know

  • Recent findings have unveiled a loophole in Android, particularly with Google Wallet.
  • Cards linked to the wallet risk exposing themselves if NFC and App pinning features are enabled.
  • Google is said to be aware of the issue, and the recent September 2023 security patch for Android devices might have fixed it.
  • The Pixel phones, however, are yet to receive the security patch.

Android screen pinning, aka app pinning functionality, is a nifty feature that lets users pin specific apps (via apps overview) on their screens. However, a recent security vulnerability has revealed that this feature can put your credit/debit cards at risk if linked to your Google Wallet.

A recent Github finding (via 9to5Google) has revealed a possible way to get your card details linked to Google Wallet through a general-purpose NFC reader (Flipper Zero, in this case). The finding suggests this is due to a logic error in the code when the device resides in lock screen mode — with app pinning enabled — and the NFC turned on. The risk is significant as user interaction isn’t necessary for this exploitation.

The Github member used a Google Pixel 7 Pro with App Pinning enabled and “Ask for Pin before unpinning” turned on. At least one card has to be linked to Google Wallet. Additionally, NFC has to be enabled with the “Required device unlock for NFC” option allowed.

In this state, the phone is vulnerable as pointing a POS (Flipper Zero in this case) at the back of the Pixel 7 Pro could read the card’s data (including card number expiry date) that was registered in Google Wallet.

This makes it possible for anyone with an NFC reader, like

Read More ...

Pass sharing is coming to Google Wallet at long last

The service is finally catching up to Apple Wallet

Announced in 2022, Google Wallet is a neat way to organize all your important passes and cards, replacing Google Pay in some regions. One of the upcoming additions to the app would allow customers in Brazil to make payments on Wallet using a QR code, effectively enabling payments on devices without NFC capabilities, similar to how the current Google Pay app functions in India. The app is now on the brink of picking up another handy feature that lets users share passes stored in Wallet with their friends and family.

This appears to be a part of the Google System Updates for July 2023. However, any mention of pass sharing seems to have been removed from the official support documentation detailing the changes. But some digging around by The Verge has uncovered a Google Wallet support page that mentions pass sharing toward the end of the page.

Shareable passes would have the familiar Share icon next to them, Google says. Meanwhile, passes sent in this manner cannot be unsent, and the people you sent it to would be free to forward it to whoever they please. Keeping this in mind, Wallet users are advised to exercise caution when sharing passes on Wallet.

A spokesperson for Google confirmed the development in a statement to The Verge, saying the company is working on letting customers share “select passes.” While this is certainly a welcome inclusion, Apple’s alternative, Apple Wallet, has allowed pass-sharing for quite a while now.

The mention of Device Connectivity support for Wear OS under the July 2023 Google System Updates list is also noteworthy, with 9to5Google suggesting this could be a reference to the long-awaited ability to sync Bedtime mode and Do Not Disturb on a Pixel Watch and

Read More ...

Google Wallet will soon let you share your passes with other people

Google Wallet is set to get a new pass sharing feature that some users have been asking for since the days of its predecessor, Google Pay.

A new entry at the bottom of the support page now says that users can share “some passes” from their own Wallet with other Google Wallet users. “We are working on a feature that will allow Wallet users to share select passes,” Google spokesperson Leismer Schulten also confirmed to The Verge. Event tickets and boarding passes were provided as examples, though it’s up to the companies who issue passes through Google Wallet to enable the feature.

Pass sharing will only work with services that enable the feature

The new Google Play system updates will roll out throughout July. No specific services supporting the feature have been announced yet, but you’ll be able to identify which passes can be shared by a Google “Share” icon that will appear above them. The support page warns, however, that you can’t unsend anything once you’ve shared that link, and the recipient can then forward that pass to anyone they like.

Google has been adding a bunch of other features to its Wallet app in recent weeks, including support for state ID and driver’s licenses in Maryland and the ability to upload passes by taking a photo of them. This latest addition to the Google Wallet toolbox could make life a bit easier for those of us who get stuck organizing entertainment and travel arrangements for friends and family. Google is a little late to the party, though — Apple Wallet has supported pass sharing for years.

link … Read More ...