Google squishes login-bypass bug that opened door to hijackers

Two-step account authentication sidestepped

The Power of One eBook: Top reasons to choose HP BladeSystem

Google has patched a flaw that allowed attackers to circumvent the web giant's two-factor login system and hijack victims' accounts.

Researchers at Duo Security said anyone could bypass a Google account's two-step verification system, reset its master password and gain full control of the profile simply by capturing one of the user’s application-specific passwords.

The flaw was uncovered by Adam Goodman, principal security architect at Duo Security, and the firm's CTO, Jon Oberheide, who is best known for his research into Android security. The vulnerability, originally flagged up to Google in July 2012, was patched last week, freeing Duo Security to go public with its discovery.

Now for the science

Google generally asks users to create a separate application-specific password (ASP) for each program they use that doesn’t support the two-step authentication process used to log into their accounts from a web browser: typically this two-factor system texts a verification code to a user's mobile phone that must be typed in along with the username and password.

In practice, users create ASPs for most apps that don’t use or expect this web-based login: this includes email clients using IMAP and SMTP (Apple Mail, Thunderbird, etc); chat clients communicating over XMPP (Adium, Pidgin, etc); and calendar applications that sync using CalDAV (iCal, etc). Even some Google tech initially required the use of ASPs, including Chrome’s sync features or setting up a Google account on an Android device.

But ASPs that do far more than simply access your email over IMAP, Duo Security apparently discovered. An ASP can be used to log into almost any of Google’s web properties and access account settings in a way that bypasses two-step verification.

Google included an “auto-login” mechanism for its users' accounts in recent versions of Android and Chrome OS. So after a user links their device to a Google account, the web browser will use the device’s existing authorisation to skip Google’s web-based sign-on prompts.

Until late last week, this auto-login mechanism also granted access to the most sensitive parts of Google’s account-settings portal, including the “Account recovery options” page. Attackers could abuse this mechanism to add or edit an account's email addresses and phone numbers to which Google sends password reset messages.

Thus, with just a username, a swiped ASP and a web request to https://android.clients.google.com/auth, a hijacker could gain access to, and control of, any Google account without a login prompt nor the need to satisfy the two-step verification process. The search giant has now plugged this hole.

A blog post by Duo Security's Goodman explaining the security flaw, and its resolution, in far greater detail can be found here.

Google stressed to The Reg that an attacker would need to get their hands on a user's ASP in order to pull off the hijack described by Duo Security:

The threat outlined by Duo Security first required gaining access to an application-specific password (ASP). ASPs are complex strings of characters that are not designed to be written down or memorized, so the phishing risk is very low. A separate, additional vulnerability would likely have been needed. Since last week's change, the theoretical threat is no longer valid because using an ASP alone is insufficient to access sensitive account settings.

Oberheide said Google was correct to downplay the phishing threat but said this wasn't the main attack vector for the now resolved security hole: getting a copy of a user's ASP isn't impossible.

"The phishing threat isn't very high," Oberheide told El Reg. "The risk is stealing an ASP stored on your endpoint (eg. for your instant messaging client, IMAP email client, etc) or intercepted by a thick client application that has insufficient SSL certificate verification (fairly common actually for crappy thick client apps)."

A good start, but…

Google’s fix (which appears to involve maintaining some per-session state to identify how one is authenticated) significantly mitigates the threat of hijacking, according to Duo Security, which specialises in providing cloud-based two-factor authentication to businesses.

ASPs are an interim approach that allows legacy software to dovetail with more advanced security protections, such as two-factor authentication. Reliance on the passwords by Google and others is expected to decline over time.

A compromised ASP could still be used to inflict significant harm on a user's account, but that user should ultimately retain control over his account - and the ability to revoke the ASP at the first sign something has gone wrong. However Duo would like to see Google go even further and implement some means to further restrict the privileges of individual ASPs.

"Despite the issue being fixed, users of Google's two-step verification should still treat ASPs with sensitively, since they offer deceptively broad account access if they were to be stolen, sniffed or phished," Oberheide told El Reg.

Last week Google disclosed that it had reduced account hijacking by 99.7 per cent thanks to improved security controls, such as two-factor authentication, and risk analysis procedures that challenge users to provide additional information in cases where a login attempt is deemed suspicious.

Even though this suggests Google's strategy is bringing home the bacon, it doesn't mean the execution is flawless, as Duo's research shows.

"Obviously, we're big fans of two-factor in general," Oberheide said. "Implementing two-factor properly and securely is no easy task though, especially in complex identity ecosystems. Even Google makes mistakes." ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.