Google has acknowledged the problem and is working on a fix for all affected devices.
Google is addressing a security issue on Android TVs that allows unauthorized access to emails and other Google services.
The problem arises due to the automatic login feature of the Android TV operating system.
Users can install Chrome browser as a workaround for direct access to Gmail, Drive, and other services.
Google is addressing a security issue with Android TVs that allows unauthorized access to emails and other Google services associated with accounts logged in to some Android TV units. The problem arises due to the automatic login feature of the Android TV operating system, which treats owner's Google account as a persistent one, allowing easy access to approved apps from the Play Store without requiring a password.
A workaround exists that enables users to install Chrome browser on Android TVs through sideloading. This provides direct access to Gmail, Drive, and other services. The issue was first reported by 404 Media and later shared with Google by Senator Ron Wyden's office.
Google has acknowledged the problem and is working on a fix for all affected devices. In the meantime, users can take precautions such as using a separate Google account designated as a family member account to log in to Android TV sets or keeping their software up-to-date.
The loophole was demonstrated by YouTuber Cameron Gray, who installed Chrome on an Android TV and accessed Gmail without any issues. However, Google initially considered this expected behavior and not a security issue. After facing criticism, the company has now committed to fixing the problem.
Google TV devices running the latest versions of software already do not allow this behavior. For other older devices, a fix is being rolled out.
Sideloading Google Chrome on Android TV or Google TV no longer automatically uses the login token for the Google account when accessing Gmail or Google Drive.
Accuracy
A loophole in Android TV OS allowed unauthorized access to a Google account's Gmail inbox and other information.
Google is rolling out a fix to prevent this issue on Google TV and Android TV.
Google account access: Sideloading apps on an Android TV device grants attackers with physical access to the device access to the entire Google account.
Google’s response: Google has patched a security loophole that allows unauthorized access to a user’s Google account through Android TV devices.
Senator Wyden’s involvement: US Sen. Ron Wyden (D-Ore.) brought the issue to Google’s attention as part of a review of streaming TV technology providers.
Android TV setup: During the initial setup, users are asked for a Google account which is expected to live on the device forever as the owner’s primary account.
Google apps access: Any new Google app installed on an Android device automatically gets access to this central Google account repository.
Sideloading Chrome: Sideloading Chrome on an Android TV device grants attackers access to all passwords and cookies, including Gmail, Photos, Chat history, Drive files, YouTube accounts, AdSense and partial credit card info.
Accuracy
No Contradictions at Time
Of
Publication
Deception
(100%)
None Found At Time Of
Publication
Fallacies
(85%)
The author commits an appeal to authority fallacy by citing US Sen. Ron Wyden's discovery of the issue and Google's response to it. The author also uses inflammatory rhetoric by describing the loophole as 'nasty' and 'alarming'.
Google originally told the senator that the issue was expected behavior
Google says it has patched a nasty loophole in the Android TV account security system
My office is mid-way through a review of the privacy practices of streaming TV technology providers.
As part of that inquiry, my staff discovered an alarming video in which a YouTuber demonstrated how with 15 minutes of unsupervised access to an Android TV set-top box, a criminal could get access to private emails of the Gmail user who set up the TV.
Google says it has fixed this problem.
Bias
(95%)
The author expresses concern about the security of Android TV devices and how they can grant access to a user's entire Google account if an attacker gains physical access. He provides examples of how this can be done by sideloading apps on the device. The author also mentions that Google has acknowledged the issue and is working on a fix.
Google says it has patched a nasty loophole in the Android TV account security system, which would grant attackers with physical access to your device access to your entire Google account just by sideloading some apps.
In the video, Gray simply grabs an Android TV device, goes to a third-party Android app site, then sideloads Chrome. Chrome automatically signs in to the TV owner's Google account and has access to all passwords and cookies
It's all just Android — Should sideloading Chrome on an old smart TV really compromise your entire account?
The result is that signing in to an Android TV device often gives it access to your entire Google account. Any new Google app you add to your device automatically gets access to this central Google account repository, so if you set up the phone and then install Google Keep, Keep automatically gets signed in and gains access to your notes.
Google is working on a fix to prevent unauthorized access to emails and other services associated with Google accounts logged in to some Android TV units.
Android TV operating system allows automatic login to allowed apps from the Play Store, including Gmail and Drive.
A workaround exists that allows Chrome browser installation on Android TV, providing easy access to Gmail, Drive, and other services.
Accuracy
Google considers this behavior as expected but not a security issue. However, they are rolling out a fix for all devices.
Users can use a different Google account designated as a family member to log in to Android TV sets and keep their privacy.
Android TV stores Google account login without any security measures, which can be ordinarily abused with browser apps to log into Google services.
,
Accuracy
Google mentions that it has fixed the loophole on newer devices running the latest Google TV and is fixing it for other older devices.
Anyone with physical access to the smart TV can view all your Google account data and potentially compromise your account if you’ve signed into Android TV.
The loophole allows bad actors to sign in to Gmail, Google Chrome, and other browsers on the TV without a password or any confirmation of identity as the owner of the device.
Google has changed its position and mentioned that it has ‘fixed’ the issue on newer Google TV devices and is in the process of fixing it on older devices.
Google advises users to update their devices to the latest software for better security.
Deception
(30%)
The article discusses a security vulnerability in Android TV that allows unauthorized access to Google accounts. The author states that anyone with physical access to the TV can sign into Google services without requiring any authentication. This is a clear example of selective reporting as the author only reports details that support their position, while ignoring the fact that Google has acknowledged the issue and is working on a fix.
You can read emails and even move forward with resetting and taking over the signed-in account.
Fallacies
(85%)
The article mentions a security loophole in Android TV that allows unauthorized access to Google accounts. The author states that anyone with physical access to the TV can sign into Google services without requiring any authentication. This is an example of a lack of security measure or poor implementation fallacy, as the author is pointing out that Android TV does not have adequate protection for user accounts and login credentials. However, it's important to note that this issue only affects devices where users have signed in with their Google accounts on Android TV. The article also mentions that Google has acknowledged the issue and is working on a fix.
]Google mentions that it has fixed the loophole on newer devices running the latest Google TV and is fixing it for other older devices.[
However, if you can sideload Chrome onto Android TV (which is quite easy if you know what you are doing), you can navigate to web versions of Gmail or any other Google services via Chrome and automatically sign in. No password is needed to sign in, and no PIN or biometrics are required to confirm your identity as the TV’s owner.[
Attackers can gain access to the inbox of the email address logged in on a smart TV.
Third-party browsers can be installed on Android TVs, allowing access to Google accounts and associated data.
Accuracy
No Contradictions at Time
Of
Publication
Deception
(30%)
The article by Adam Conway on xda-developers.com discusses the potential security risks of logging into Google accounts on hotel smart TVs. While the information provided is factual, it employs sensationalism and selective reporting to manipulate readers' emotions and create a sense of urgency. The author states that 'Smart TVs can leak email inboxes - remotely log out.' This statement is true but misleading as it implies that smart TVs have an inherent vulnerability, when in reality, the issue lies with third-party browsers installed on these devices. The article also selectively reports on a specific incident where an attacker gained access to someone's email account through a hotel smart TV without mentioning that the attack required physical access to the TV and manual installation of Google Chrome. This omission creates a false sense of danger and can mislead readers into believing that their smart TVs are more vulnerable than they actually are.
An attacker could easily access sensitive information that they weren’t supposed to.
Smart TVs can leak email inboxes - remotely log out.
/cdn.vox-cdn.com/uploads/chorus_asset/file/24007893/acastro_STK112_android_02.jpg)
