What you need to know
- A flaw in Android TV could allow unauthorized access to Gmail and other linked services if someone gains physical access to the device.
- Using an Android TV box, individuals may be able to hack into the last user’s Google account, thereby compromising Gmail and Google Drive.
- Google initially suggested that the behavior was expected, but later acknowledged the vulnerability and claimed to have fixed it on newer Google TV devices.
According to 404 Media, a security flaw in Android TV could allow anyone to spy on your Gmail and other linked services if they get their hands on your device.
According to a video Cameron Gray posted on YouTube earlier this year, if someone gets their hands on an Android TV box they can essentially hack into the last logged in user’s Google account, including Gmail and Google Drive (via Mishaal Rahman). ).
PSA: Don’t sign in to your personal Google account on any Android TV device you don’t own! https://t.co/l0FScUVT4MApril 25, 2024
When Google Chrome detects a Google Account on the device where it is installed, you will automatically be signed in to all Google services you visit. Because Android TV is essentially Android, the owner’s Google Account sign-in is treated like a permanent sign-in, automatically signing them in to approved apps from the Play Store.
Even though Google doesn’t officially allow you to install Chrome on Android TV, you can still sideload it to sneak it in there. And once it’s turned on, you’ll have access to Gmail, Drive and all other services as shown in the video.
In the video, Gray installs a third-party web browser called TV Bro, which you can download from the Play Store for Android TV. He then digs up an APK for Chrome from some online archive and installs it without any problem. However, since the app is not compatible with TV remote controls, you will need a keyboard and mouse.
Once Chrome is up and running, it’s a snap to hop over to the Gmail website and you’re in – no password, PIN or biometrics required to prove you’re the owner of the TV.
Based on Gray’s findings, Android TV is a prime target for access to logged in email accounts due to its weak security. If you only use Android TV at home, you’re probably in the clear. However, if you log into Android TV from a device outside of your crib, that’s a problem.
Google’s initial stance suggested that this should work, which is technically true. But it’s still a major security flaw. Recently, Google said it had fixed the issue on newer Google TV devices.
The search giant told 404 Media that with the latest software updates, most of its Google TV devices no longer allow this shady behavior. But for the remaining devices, Google is working to release a solution soon.
Android Central has reached out to Google to clarify exactly how it plans to resolve the issue. We will update this article as soon as we receive a response.