Google says that it has started "to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third-party access to data available in Calendar and Contacts". The fix will roll out globally over the next few days, said a Google spokesperson in an official statement. No user action will reportedly be required to close the security hole.
However, the company didn't provide any details on how exactly it intends to solve the problem. According to some reports, Google will expected to configure its servers in a way which forces communication to be encrypted using HTTPS when synchronising calendar items and contacts.
For the Picasa app, this is apparently not an option and Google is said to be working on an alternative solution. The company also doesn't appear to have solved the Picasa problem in Android firmware either. The Picasa app continues to transmit the authentication token in plain text even in version 2.3.4, where Google Calendar and Contacts no longer synchronise without encryption.
Researchers at the university of Ulm in Germany had discovered an Android data transmission vulnerability that allows attackers to gain unauthorised access to, and manipulate, other users' Google Calendar, Picasa Web Album and Google Contact data. The issue exists because an authentication token (AuthToken) which is received when logging into the Google server is then subsequently transmitted, in plain text, by some applications when they make further requests of the Google servers. In unencrypted Wi-Fi networks and in networks where all users use the same key, attackers can use Wireshark to intercept the token and use it for their own purposes