A feature that allows Android users to authenticate themselves on Google websites without having to enter their account password can be abused by rogue apps to give attackers access to Google accounts, a security researcher showed Saturday at the Defcon security conference in Las Vegas.

And with that information, the attacker has access to “Google Apps, Gmail, Drive, Calendar, Voice and other Google services.”