Google fixed a glaring account security loophole on Android TV OS [Video]

Ben Schoon | Apr 25 2024 - 12:45 pm PT

An account security loophole in Android TV OS can allow an unsupervised user to be able to access your Gmail inbox if given access to the television, but Google is working to fix it.

Android TV OS is the platform behind Android TV and Google TV, currently installed on millions of TV sets, streaming boxes, and more across the globe. The platform all but requires the use of a Google account, but that’s left the door open to an interesting security loophole.

As detailed earlier this year by Cameron Gray on YouTube, a loophole in Android TV OS when you sign into your Google account allows you to access Gmail and other account information without a user’s PIN or password, as the TV platform doesn’t require that information to access the device’s contents.

The way this loophole works is to sideload Google Chrome on an Android TV OS device, something which can be done relatively easily by first downloading another browser app on the Play Store. Once this is done, you can access your Gmail account and any other Google services via Chrome, as the browser will automatically be signed in by way of your Google account being signed into the TV. There’s never a password needed, which could certainly expose information if it gets into the wrong hands.

It’s a glaring and simple loophole, though maybe not one that’s immediately thought of given that Chrome isn’t technically supported on Android TV OS, can’t be downloaded from the Play Store, and is barely usable without pairing a mouse.

In a home or on a personal device it’s arguably not much of an issue, but it’s something that could quickly become an issue in a public or sensitive setting. With access to your inbox especially, a determined malicious party could do some real damage through password resets and more.

That’s exactly how this issue came under scrutiny.

As reported by 404 Media, the office of US Senator Ron Wyden is going through “a review of the privacy practices of streaming TV technology providers” and found the video above on YouTube. The Senator’s office sent the video to Google, upon which Google initially said this was expected behavior, which indeed is accurate.

Google has since updated its position, though. In a statement to 404, Google confirmed that it has been rolling out a change that prevents this sort of action, though the company didn’t explain how.

We are constantly working to improve our protections to help keep Google TV and Android TV OS users safe. We are aware of this potential scenario where bad actors who have obtained physical access to a TV device can manually override the default settings to sideload Google apps normally restricted on a TV and access Google services on the signed-in account. Most Google TV devices running the latest versions of software already do not allow this depicted behavior. We are in the process of rolling out a fix to the rest of devices. As a best security practice, we always advise users to update their devices to the latest software.

This theoretical loophole could cause some damage, so it’s nice to see that Google is working to fix it up.

In our testing this afternoon, we’ve been ~~completely unable to sideload Google Chrome on a Chromecast with Google TV running the latest updates. That’s despite trying multiple app versions.~~ We’ve reached out to Google to confirm if that, or something else is the fix mentioned.

Update 4/26: Speaking to 9to5Google, Google has confirmed that the fix it has implemented is to disable automatic sign-in of Gmail and Drive through Chrome on Android TV OS.