Skip to main content

Here’s how Google patched the account security loophole on Google TV and Android TV

Avatar for Ben Schoon  | Apr 26 2024 - 1:00 pm PT
1 Comment
chromecast with google tv

A loophole in Android TV OS left a backdoor open for users to access a TV owner’s Gmail inbox among other things, but Google is rolling out a fix, and the company has now confirmed what that fix is.

Android TV OS, like Android on your phone, signs into a Google account at the system level. This allows certain apps, like Google Chrome, to sign into that Google account without requiring a password. That’s by design and generally not a problem as smartphones and tablets typically have a PIN, password, or biometrics protecting the apps on your device.

That is not the case with Android TV and Google TV, though.

It was first pointed out earlier this year and then highlighted in a report this week that malicious actors could, in theory, sideload Google Chrome onto an Android TV OS device and then use that to access the Google account of the TV’s owner. It’s not so much a security exploit, but a loophole that’s not super difficult to pull off, as long as you know how to access an APK and sideload the app.

Google, in a statement to 404 Media, had already confirmed that a fix was rolling out to Google TV and Android TV to fix the problem, but hadn’t detailed what that fix was.

Most Google TV devices running the latest versions of software already do not allow this depicted behavior. We are in the process of rolling out a fix to the rest of devices.

Speaking to 9to5Google, the company offered a bit more context.

Going forward on Google TV and Android TV, sideloading Google Chrome will no longer automatically use the login token for the Google account when accessing Gmail or Google Drive on the device.

So, while that likely won’t prevent all means of account access through the unlocked TV, it should go a very long way in preventing access to an account’s most sensitive data.

Google added (after this post was published) that the update is rolling out via an app update, so older devices will be getting the change, too.

More on Android TV:

Follow Ben: Twitter/XThreads, and Instagram

Add 9to5Google to your Google News feed. 

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out 9to5Google on YouTube for more news:

Comments

Guides

Android TV

Android TV

Android TV is a version of the Android platform …
Google TV

Google TV

Author

Avatar for Ben Schoon Ben Schoon

Ben is a Senior Editor for 9to5Google.

Find him on Twitter @NexusBen. Send tips to schoon@9to5g.com or encrypted to benschoon@protonmail.com.

Ben Schoon's favorite gear

Google Pixel Watch 2

Ben's smartwatch of choice with his phone is the Google Pixel Watch 2.

samsung galaxy s24 ultra

Reserve Galaxy S24

Reserve the Galaxy S24 series for free and get a $50 credit, no obligation required.

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
Please wait...processing
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
Please wait...processing