The group explained on Friday that some Google account authentication tokens were apparently being sent OTA unencrypted, leaving users with their data freely available if they were on public Wi-Fi.
Hackers using simple software could steal account info for Google Calendar, Contacts and Picasa accounts.
Users with Android 2.3.4 are free of the issue, but 98.4 percent of Android devices run Android 2.3.3 or lower, making the fix useless for the vast majority.
Google has begun rolling out the server-side patch this week for Android 1.5 - 2.3.3, and it will be completed by the end of the week.
Says Google, via CW:
Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.
Written by: Andre Yoskowitz @ 18 May 2011 14:38