Update (April 27, 11:00 am ET): Google provided more context on the fix that it’s rolling out.
What you need to know
- A loophole in Android TV could allow unauthorized access to Gmail and other linked services if someone gains physical access to the device.
- Through an Android TV box, individuals can potentially hack into the Google account of the last user, compromising Gmail and Google Drive.
- Initially, Google implied the behavior was expected, but later acknowledged the security flaw and claimed to have fixed it on newer Google TV devices.
A security loophole in Android TV could allow anyone to snoop on your Gmail and other linked services if they get their hands on your device, according to 404 Media.
As per a video posted on YouTube by Cameron Gray earlier this year, if someone gets their hands on an Android TV box, they can pretty much hack into the Google account of whoever last logged in, including their Gmail and Google Drive (via Mishaal Rahman).
PSA: Do not sign into your personal Google Account on any Android TV device you don’t own! https://t.co/l0FScUVT4MApril 25, 2024
If Google Chrome spots a Google account on the device it’s installed on, it automatically signs you in to any Google services you visit. Now, since Android TV is basically Android in essence, it treats the owner’s Google account sign-in like it’s permanent, so they automatically get logged in to approved apps from the Play Store.
Even though Google doesn’t officially let you install Chrome on Android TV, you can still sideload it to sneak it on there. And once it’s on, you’ve got access to Gmail, Drive, and all the other services, as demonstrated by the video.
In the video, Gray installs a third-party web browser called “TV Bro” that you can grab from the Play Store for Android TV. He uses it to dig up an APK for Chrome from some online archive and installs it without any trouble. But the app doesn’t play nice with TV remotes, so you will need a keyboard and mouse.
Once Chrome is up and running, it’s as easy as pie to hop over to Gmail’s website and you’re in—no password needed, no PIN, or biometrics required to prove you’re the TV’s owner.
Based on what Gray found, Android TV’s weak security makes it a prime target for peeking into signed-in email accounts. If you’re only using Android TV at home, you’re probably in the clear. But if you’re logging into Android TV from some device outside your crib, that’s when you’re asking for trouble.
Google’s initial stance suggested that’s how this is supposed to work, which technically is true. But it’s still a big security goof. Recently, Google said it fixed the problem on newer Google TV devices.
The search giant told 404 Media that most of its Google TV devices with the latest software updates no longer allow this shady behavior to happen anymore. But for the rest of the devices, Google is working on pushing out a fix soon.
Android Central reached out to Google for clarification on how exactly it plans to resolve the issue, and we’ll update this article once we hear back.
Update
In a statement to 9to5Google, the company clarified that from now on, when you sideload Chrome on Google TV and Android TV, it won’t automatically use the login token for your Google account when you’re trying to access Gmail or Google Drive on the device.
Additionally, the fix is coming through an app update, so even older devices will get the patch.
