CVE-2011-2344

Name of the Vulnerable Software and Affected Versions Android Picasa versions 2.x through 2.3.4 Android Picasa version 3.0

Description The issue allows remote attackers to gain privileges and access private pictures and web albums by sniffing the authToken from connections with "picasaweb.google.com". This is possible because Android Picasa uses a cleartext HTTP session when transmitting the authToken obtained from ClientLogin.

Recommendations For Android Picasa versions 2.x through 2.3.4, consider disabling the use of cleartext HTTP sessions until a secure method is implemented. For Android Picasa version 3.0, consider disabling the use of cleartext HTTP sessions until a secure method is implemented. At the moment, there is no information about a newer version that contains a fix for this issue.