Google squishes login-bypass bug that opened door to hijackers

Two-step account authentication sidestepped

5 things you didn’t know about cloud backup

Google has patched a flaw that allowed attackers to circumvent the web giant's two-factor login system and hijack victims' accounts.

Researchers at Duo Security said anyone could bypass a Google account's two-step verification system, reset its master password and gain full control of the profile simply by capturing one of the user’s application-specific passwords.

The flaw was uncovered by Adam Goodman, principal security architect at Duo Security, and the firm's CTO, Jon Oberheide, who is best known for his research into Android security. The vulnerability, originally flagged up to Google in July 2012, was patched last week, freeing Duo Security to go public with its discovery.

Now for the science

Google generally asks users to create a separate application-specific password (ASP) for each program they use that doesn’t support the two-step authentication process used to log into their accounts from a web browser: typically this two-factor system texts a verification code to a user's mobile phone that must be typed in along with the username and password.

In practice, users create ASPs for most apps that don’t use or expect this web-based login: this includes email clients using IMAP and SMTP (Apple Mail, Thunderbird, etc); chat clients communicating over XMPP (Adium, Pidgin, etc); and calendar applications that sync using CalDAV (iCal, etc). Even some Google tech initially required the use of ASPs, including Chrome’s sync features or setting up a Google account on an Android device.

But ASPs that do far more than simply access your email over IMAP, Duo Security apparently discovered. An ASP can be used to log into almost any of Google’s web properties and access account settings in a way that bypasses two-step verification.

Google included an “auto-login” mechanism for its users' accounts in recent versions of Android and Chrome OS. So after a user links their device to a Google account, the web browser will use the device’s existing authorisation to skip Google’s web-based sign-on prompts.

Until late last week, this auto-login mechanism also granted access to the most sensitive parts of Google’s account-settings portal, including the “Account recovery options” page. Attackers could abuse this mechanism to add or edit an account's email addresses and phone numbers to which Google sends password reset messages.

Thus, with just a username, a swiped ASP and a web request to https://android.clients.google.com/auth, a hijacker could gain access to, and control of, any Google account without a login prompt nor the need to satisfy the two-step verification process. The search giant has now plugged this hole.

A blog post by Duo Security's Goodman explaining the security flaw, and its resolution, in far greater detail can be found here.

Google stressed to The Reg that an attacker would need to get their hands on a user's ASP in order to pull off the hijack described by Duo Security:

The threat outlined by Duo Security first required gaining access to an application-specific password (ASP). ASPs are complex strings of characters that are not designed to be written down or memorized, so the phishing risk is very low. A separate, additional vulnerability would likely have been needed. Since last week's change, the theoretical threat is no longer valid because using an ASP alone is insufficient to access sensitive account settings.

Oberheide said Google was correct to downplay the phishing threat but said this wasn't the main attack vector for the now resolved security hole: getting a copy of a user's ASP isn't impossible.

"The phishing threat isn't very high," Oberheide told El Reg. "The risk is stealing an ASP stored on your endpoint (eg. for your instant messaging client, IMAP email client, etc) or intercepted by a thick client application that has insufficient SSL certificate verification (fairly common actually for crappy thick client apps)."

A good start, but…

Google’s fix (which appears to involve maintaining some per-session state to identify how one is authenticated) significantly mitigates the threat of hijacking, according to Duo Security, which specialises in providing cloud-based two-factor authentication to businesses.

ASPs are an interim approach that allows legacy software to dovetail with more advanced security protections, such as two-factor authentication. Reliance on the passwords by Google and others is expected to decline over time.

A compromised ASP could still be used to inflict significant harm on a user's account, but that user should ultimately retain control over his account - and the ability to revoke the ASP at the first sign something has gone wrong. However Duo would like to see Google go even further and implement some means to further restrict the privileges of individual ASPs.

"Despite the issue being fixed, users of Google's two-step verification should still treat ASPs with sensitively, since they offer deceptively broad account access if they were to be stolen, sniffed or phished," Oberheide told El Reg.

Last week Google disclosed that it had reduced account hijacking by 99.7 per cent thanks to improved security controls, such as two-factor authentication, and risk analysis procedures that challenge users to provide additional information in cases where a login attempt is deemed suspicious.

Even though this suggests Google's strategy is bringing home the bacon, it doesn't mean the execution is flawless, as Duo's research shows.

"Obviously, we're big fans of two-factor in general," Oberheide said. "Implementing two-factor properly and securely is no easy task though, especially in complex identity ecosystems. Even Google makes mistakes." ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
prev story


Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.