Google squishes login-bypass bug that opened door to hijackers

Two-step account authentication sidestepped

Protecting users from Firesheep and other Sidejacking attacks with SSL

Google has patched a flaw that allowed attackers to circumvent the web giant's two-factor login system and hijack victims' accounts.

Researchers at Duo Security said anyone could bypass a Google account's two-step verification system, reset its master password and gain full control of the profile simply by capturing one of the user’s application-specific passwords.

The flaw was uncovered by Adam Goodman, principal security architect at Duo Security, and the firm's CTO, Jon Oberheide, who is best known for his research into Android security. The vulnerability, originally flagged up to Google in July 2012, was patched last week, freeing Duo Security to go public with its discovery.

Now for the science

Google generally asks users to create a separate application-specific password (ASP) for each program they use that doesn’t support the two-step authentication process used to log into their accounts from a web browser: typically this two-factor system texts a verification code to a user's mobile phone that must be typed in along with the username and password.

In practice, users create ASPs for most apps that don’t use or expect this web-based login: this includes email clients using IMAP and SMTP (Apple Mail, Thunderbird, etc); chat clients communicating over XMPP (Adium, Pidgin, etc); and calendar applications that sync using CalDAV (iCal, etc). Even some Google tech initially required the use of ASPs, including Chrome’s sync features or setting up a Google account on an Android device.

But ASPs that do far more than simply access your email over IMAP, Duo Security apparently discovered. An ASP can be used to log into almost any of Google’s web properties and access account settings in a way that bypasses two-step verification.

Google included an “auto-login” mechanism for its users' accounts in recent versions of Android and Chrome OS. So after a user links their device to a Google account, the web browser will use the device’s existing authorisation to skip Google’s web-based sign-on prompts.

Until late last week, this auto-login mechanism also granted access to the most sensitive parts of Google’s account-settings portal, including the “Account recovery options” page. Attackers could abuse this mechanism to add or edit an account's email addresses and phone numbers to which Google sends password reset messages.

Thus, with just a username, a swiped ASP and a web request to https://android.clients.google.com/auth, a hijacker could gain access to, and control of, any Google account without a login prompt nor the need to satisfy the two-step verification process. The search giant has now plugged this hole.

A blog post by Duo Security's Goodman explaining the security flaw, and its resolution, in far greater detail can be found here.

Google stressed to The Reg that an attacker would need to get their hands on a user's ASP in order to pull off the hijack described by Duo Security:

The threat outlined by Duo Security first required gaining access to an application-specific password (ASP). ASPs are complex strings of characters that are not designed to be written down or memorized, so the phishing risk is very low. A separate, additional vulnerability would likely have been needed. Since last week's change, the theoretical threat is no longer valid because using an ASP alone is insufficient to access sensitive account settings.

Oberheide said Google was correct to downplay the phishing threat but said this wasn't the main attack vector for the now resolved security hole: getting a copy of a user's ASP isn't impossible.

"The phishing threat isn't very high," Oberheide told El Reg. "The risk is stealing an ASP stored on your endpoint (eg. for your instant messaging client, IMAP email client, etc) or intercepted by a thick client application that has insufficient SSL certificate verification (fairly common actually for crappy thick client apps)."

A good start, but…

Google’s fix (which appears to involve maintaining some per-session state to identify how one is authenticated) significantly mitigates the threat of hijacking, according to Duo Security, which specialises in providing cloud-based two-factor authentication to businesses.

ASPs are an interim approach that allows legacy software to dovetail with more advanced security protections, such as two-factor authentication. Reliance on the passwords by Google and others is expected to decline over time.

A compromised ASP could still be used to inflict significant harm on a user's account, but that user should ultimately retain control over his account - and the ability to revoke the ASP at the first sign something has gone wrong. However Duo would like to see Google go even further and implement some means to further restrict the privileges of individual ASPs.

"Despite the issue being fixed, users of Google's two-step verification should still treat ASPs with sensitively, since they offer deceptively broad account access if they were to be stolen, sniffed or phished," Oberheide told El Reg.

Last week Google disclosed that it had reduced account hijacking by 99.7 per cent thanks to improved security controls, such as two-factor authentication, and risk analysis procedures that challenge users to provide additional information in cases where a login attempt is deemed suspicious.

Even though this suggests Google's strategy is bringing home the bacon, it doesn't mean the execution is flawless, as Duo's research shows.

"Obviously, we're big fans of two-factor in general," Oberheide said. "Implementing two-factor properly and securely is no easy task though, especially in complex identity ecosystems. Even Google makes mistakes." ®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.