Security loophole found in Google's 2-factor authentication system

Now it can be told: Google's two-factor authentication, a system designed to make it harder for hackers to hijack a Google account, had a loophole that could bypass the security measure.

 

Researchers from Duo Security, who discovered the flaw and made it public only after Google fixed it, said the flaw could have potentially allowed a hacker to even reset the master password of the user's Google account.

 

"Some months ago, we found a way to (ab)use ASPs to gain full control over Google accounts, completely circumventing Google’s 2-step verification process. We communicated our findings to Google’s security team, and recently heard back from them that they had implemented some changes to mitigate the most serious of the threats we’d uncovered," they said.

 

With the two-step verification, Google will require a user of Google apps such as Gmail to enter a second code that Google may send via text message.

 

Such a system seeks to prevent the hijacking of an account even if the hacker manages to guess the target account's password.

 

Before the flaw was uncovered and fixed, Duo Security said an attacker can potentially "bypass Google’s two-step login verification, reset a user’s master password, and otherwise gain full account control, simply by capturing a user’s application-specific password (ASP)."

 

Duo Security learned that in some cases - such as using auto-login with Google's Chrome, especially for Android and Chrome OS - the two-step verification can be bypassed.

'Seizing complete control'  

"Until late last week, this auto-login mechanism worked even for the most sensitive parts of Google’s account-settings portal. This included the 'Account recovery options' page, on which you can add or edit the email addresses and phone numbers to which Google might send password-reset messages," it said.

 

"In short, if you can access the 'Account recovery options' page for a Google account, then you can seize complete control of that account from its rightful owner," it said.

 

Google's fix

 

Duo Security said Google’s fix helps situation "significantly," but suggested that Google "implement some means to further-restrict the privileges of individual ASPs."

 

Timeline of discovery

 

Duo Security said it discovered the weakness as early as July 2012, and reported it to Google days after finding it.

 

By Feb. 21, Google pushed a fix "to prevent ASP-initiated sessions from accessing sensitive account interfaces," it said. — TJD, GMA News