Skip to main content

Android loophole allows Google Wallet to leak credit card details via NFC, fix coming

Avatar for Ben Schoon  | Sep 13 2023 - 7:15 am PT
11 Comments

We store a lot of sensitive information on our smartphones, which is why security is key. A loophole in Android, though, has allowed access to credit card details with the right NFC hardware, but Google is actively delivering a fix.

As detailed on GitHub, a security issue that’s been given the marker CVE-2023-35671 affects Android devices and allows access to full credit card details through NFC devices like the popular Flipper Zero tool.

The issue, which affects all Android devices running Android 5.0 and higher, is a loophole that relates back to Android’s “Screen Pinning” tool, which allows users to lock an app on screen until a PIN is entered. When Screen Pinning is enabled, the “Ask for PIN before unpinning” option is turned on, and “Require device unlock for NFC” is turned on, this loophole can expose your credit card information. This requires Google Wallet to be housing a credit/debit card that’s set up for in-store NFC payments.

Under these conditions, someone with an appropriate NFC reader tool can trigger a locked Android phone to divulge full credit card details with a tap. The loophole doesn’t allow payments to be made, but exposes the full credit card details as shown in the proof-of-concept video below.

Given the very specific circumstances in which this happens, it’s very unlikely anyone has run into trouble with it, but it’s a very concerning loophole nonetheless. Thankfully, Google is already well-aware of the problem, and has marked the issue as “high” in severity. A fix is included with the September 2023 security patch for Android versions 11 through 13.

If you’re on a device that is no longer receiving security patches or stuck on an older version of Android, preventing the issue is as simple as disabling the Screen Pinning feature in your device’s Settings menu.

Notably, Screen Pinning is not enabled by default.

The Septemeber 2023 security patch is currently available to all Android makers, with Samsung having rolled out the update to many devices. Google Pixel devices were expected to get the patch with Android 14, but that’s been unexpectedly delayed.

More on Android:

Add 9to5Google to your Google News feed. 

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out 9to5Google on YouTube for more news:

Comments

Guides

Android

Android

Breaking news for Android. Get the latest on app…
Google Wallet

Google Wallet

Author

Avatar for Ben Schoon Ben Schoon

Ben is a Senior Editor for 9to5Google.

Find him on Twitter @NexusBen. Send tips to schoon@9to5g.com or encrypted to benschoon@protonmail.com.

Ben Schoon's favorite gear

Google Pixel Watch 2

Ben's smartwatch of choice with his phone is the Google Pixel Watch 2.

samsung galaxy s24 ultra

Reserve Galaxy S24

Reserve the Galaxy S24 series for free and get a $50 credit, no obligation required.