Last week two different hacks were uncovered for Google Wallet. One, required the phone to be rooted and the hacker to have physical access to an unlocked phone. The second hack was far more sinister, not requiring the phone to be rooted, involving clearing the data in app settings. Google has officially plugged up the second hack, restoring users ability to use prepaid cards with Google Wallet again.
The more recent hack, discovered late last week, allowed a hacker to reset the Google Wallet PIN. This was accomplished by clearing the data in the app settings for Google Wallet. Once this was done the app would get confused and prompt the user to enter a new PIN number. After resetting the PIN the hacker could link a prepaid card to the account and automatically have access to that payment method as well as all the other information previously stored in that user's wallet.
That hack did not require the phone to be rooted and it was independently confirmed by a number of users as well as Google themselves. In response Google disabled the use of prepaid cards with Google Wallet to try and put a stop to the exploit while they worked on a fix.
Google has now fixed the security hole that allowed this hack to happen which means prepaid cards are once again okay to use with Google Wallet. The statement regarding this issue on the official blog for Google Wallet read,
"Yesterday afternoon, we restored the ability to issue new prepaid cards to the Wallet. In addition, we issued a fix that prevents an existing prepaid card from being re-provisioned to another user. While we're not aware of any abuse of prepaid cards or the Wallet PIN resulting from these recent reports, we took this step as a precaution to ensure the security of our Wallet customers. If you are unable to access your previous prepaid card balance for any reason, please contact our toll-free support for assistance."
The fix doesn't account for the other "hack", originally uncovered by zvelo. That hack seems to be far less of a concern because it requires someone who has a good amount of knowledge, and physical access to an unlocked, rooted phone with Google Wallet to be used.
