Google's two-factor authentication bypassed

Source: Duo Security

Google has fixed a vulnerability which could in theory have enabled attackers to compromise Google accounts protected by two-factor authentication. However, the company did take seven months to do so.

If this security feature is activated, Google requests an additional one-time password when a user tries to log into their Google account. The one-time password is generated by a smartphone app or can be delivered by text message. The requirement for an additional authentication factor means that the account is protected from unauthorised access should the user's access credentials fall into the wrong hands – access to the mobile phone associated with the account is also required.

There is, however, an intentional backdoor for applications which are not set up for two-factor authentication in the form of application specific passwords (ASP). If, for example, you want to use Thunderbird to download email from a Google account secured using two-factor authentication, you simply generate an ASP which is submitted by Thunderbird in place of the normal password.

This has the disadvantage that an attacker who intercepts the ASP then has access to email, calendar items and contacts without requiring the one-time password. Under normal circumstances, it should not be possible to permanently take over the user's Google account (for example by changing the main password) using an ASP.

But this is exactly what security researchers from Duo Security were able to do. Using an API intended for Android, they were able to use an ASP to access account settings, change the password for the Google account and even deactivate two-factor authentication.

The researchers reported their discovery to Google last July, but the vulnerability was only fixed at the end of last week. Google now checks whether sessions attempting to access account settings were authenticated by means of an ASP and, if they were, requires additional two-factor authentication.

(fab)