February 15, 2012 | by Andrew Kameka
After discovering that Google Wallet is susceptible to a simple exploit that removes a user’s PIN and exposes funds to prepaid cards, Google disabled the ability to add money to a prepaid Google Wallet card. Late last night, the company restored that function after implementing a fix that no longer makes prepaid funds so easy to take over.
Omar Bedier, VP of Google Wallet and Payments, confirmed that new prepaid funds are once again available to Wallet users. Bedier wrote, “We issued a fix that prevents an existing prepaid card from being re-provisioned to another user. While we’re not aware of any abuse of prepaid cards or the Wallet PIN resulting from these recent reports, we took this step as a precaution to ensure the security of our Wallet customers.”
The previously-covered exploit that grants access to a Google Wallet PIN on a rooted Android device, has yet to be patched. More concerning is that the company that discovered this security hole, zvelo, now claims that non-rooted devices are not as safe as originally thought. That’s because a proof of concept code can root a device without losing data (most root methods require wiping phone data). The idea is that a developer could then release an app with this code embedded, scan the device to see if Google Wallet is present, and then forcibly discover the Wallet PIN. Of course, such an app would not be approved in the Android Market thanks to Bouncer recognizing that something fishy was afoot.
For now, Google Wallet users can continue using the service without fear. There’s always a risk that your funds could be spent if a phone is lost, but that risk is significantly lower than the likelihood of someone spending your money after finding your physical wallet. Google’s Wallet is already safer than the one in pocket, so let’s hope that this remaining patch is fixed soon.
[Zvelo] Thanks, Joshua