Google squishes login-bypass bug that opened door to hijackers
Two-step account authentication sidestepped
Google has patched a flaw that allowed attackers to circumvent the web giant's two-factor login system and hijack victims' accounts.
Researchers at Duo Security said anyone could bypass a Google account's two-step verification system, reset its master password and gain full control of the profile simply by capturing one of the user’s application-specific passwords.
The flaw was uncovered by Adam Goodman, principal security architect at Duo Security, and the firm's CTO, Jon Oberheide, who is best known for his research into Android security. The vulnerability, originally flagged up to Google in July 2012, was patched last week, freeing Duo Security to go public with its discovery.
Now for the science
Google generally asks users to create a separate application-specific password (ASP) for each program they use that doesn’t support the two-step authentication process used to log into their accounts from a web browser: typically this two-factor system texts a verification code to a user's mobile phone that must be typed in along with the username and password.
In practice, users create ASPs for most apps that don’t use or expect this web-based login: this includes email clients using IMAP and SMTP (Apple Mail, Thunderbird, etc); chat clients communicating over XMPP (Adium, Pidgin, etc); and calendar applications that sync using CalDAV (iCal, etc). Even some Google tech initially required the use of ASPs, including Chrome’s sync features or setting up a Google account on an Android device.
But ASPs that do far more than simply access your email over IMAP, Duo Security apparently discovered. An ASP can be used to log into almost any of Google’s web properties and access account settings in a way that bypasses two-step verification.
Google included an “auto-login” mechanism for its users' accounts in recent versions of Android and Chrome OS. So after a user links their device to a Google account, the web browser will use the device’s existing authorisation to skip Google’s web-based sign-on prompts.
Until late last week, this auto-login mechanism also granted access to the most sensitive parts of Google’s account-settings portal, including the “Account recovery options” page. Attackers could abuse this mechanism to add or edit an account's email addresses and phone numbers to which Google sends password reset messages.
Thus, with just a username, a swiped ASP and a web request to
https://android.clients.google.com/auth, a hijacker could gain access to, and control of, any Google account without a login prompt nor the need to satisfy the two-step verification process. The search giant has now plugged this hole.
A blog post by Duo Security's Goodman explaining the security flaw, and its resolution, in far greater detail can be found here.
Google stressed to The Reg that an attacker would need to get their hands on a user's ASP in order to pull off the hijack described by Duo Security:
The threat outlined by Duo Security first required gaining access to an application-specific password (ASP). ASPs are complex strings of characters that are not designed to be written down or memorized, so the phishing risk is very low. A separate, additional vulnerability would likely have been needed. Since last week's change, the theoretical threat is no longer valid because using an ASP alone is insufficient to access sensitive account settings.
Oberheide said Google was correct to downplay the phishing threat but said this wasn't the main attack vector for the now resolved security hole: getting a copy of a user's ASP isn't impossible.
"The phishing threat isn't very high," Oberheide told El Reg. "The risk is stealing an ASP stored on your endpoint (eg. for your instant messaging client, IMAP email client, etc) or intercepted by a thick client application that has insufficient SSL certificate verification (fairly common actually for crappy thick client apps)."
A good start, but…
Google’s fix (which appears to involve maintaining some per-session state to identify how one is authenticated) significantly mitigates the threat of hijacking, according to Duo Security, which specialises in providing cloud-based two-factor authentication to businesses.
ASPs are an interim approach that allows legacy software to dovetail with more advanced security protections, such as two-factor authentication. Reliance on the passwords by Google and others is expected to decline over time.
A compromised ASP could still be used to inflict significant harm on a user's account, but that user should ultimately retain control over his account - and the ability to revoke the ASP at the first sign something has gone wrong. However Duo would like to see Google go even further and implement some means to further restrict the privileges of individual ASPs.
"Despite the issue being fixed, users of Google's two-step verification should still treat ASPs with sensitively, since they offer deceptively broad account access if they were to be stolen, sniffed or phished," Oberheide told El Reg.
Last week Google disclosed that it had reduced account hijacking by 99.7 per cent thanks to improved security controls, such as two-factor authentication, and risk analysis procedures that challenge users to provide additional information in cases where a login attempt is deemed suspicious.
Even though this suggests Google's strategy is bringing home the bacon, it doesn't mean the execution is flawless, as Duo's research shows.
"Obviously, we're big fans of two-factor in general," Oberheide said. "Implementing two-factor properly and securely is no easy task though, especially in complex identity ecosystems. Even Google makes mistakes." ®