A “weblogin” token issued by Google to Android users could be intercepted and abused by an attacker. Tripwire security researcher Craig Young’s Saturday presentation at the Def Con information security conference in Las Vegas. Young: Any attacker able to obtain a user’s token could access any Google service that the Android device is configured to use. Young has called on Google to give Google Apps administrators the ability to block all automatic access via weblogin tokens. Google has already addressed one attack vector highlighted by Young, which would have allowed someone in possession of a token to reset an account password.”]
Source: https://www.darkreading.com/attacks-breaches/android-one-click-google-apps-access-cracked