J2TEAM Security: A must-have extension for Chrome users. Install now!

Bypassing Google Two Factor Authentication

Bypassing Google Two Factor Authentication | Juno_okyo's Blog
Duo Security found a loophole in Google's authentication system that allowed them to Google's two factor authentication and gain full control over a user's Gmail account by abusing the unique passwords used to connect individual applications to Google accounts.
Bypassing Google Two Factor Authentication
Duo Security itself a two-factor authentication provider and the flaw is located in the auto-login mechanism implemented in Chrome in the latest versions of Android, that allowed them to use an ASP to gain access to a Google account's recovery and 2-step verification settings. 
Auto-login allowed users who linked their mobile devices or Chromebooks to their Google accounts to automatically access all Google-related pages over the Web without ever seeing another login page.
android autologin
"Generally, once you turn on 2-step verification, Google asks you to create a separate Application-Specific Password for each application you use (hence “Application-Specific”) that doesn’t support logins using 2-step verification," Duo Security said in a blog post.


"Then you use that ASP in place of your actual password. In more-concrete terms, you create ASPs for most client applications that don’t use a web-based login: email clients using IMAP and SMTP (Apple Mail, Thunderbird, etc.); chat clients communicating over XMPP (Adium, Pidgin, etc.), and calendar applications that sync using CalDAV (iCal, etc.)."
gauth break sm1















ASPs are specialized tokens generated for each application that users enter in place of the password/token combination. Duo Security discovered that ASPs actually weren't application-specific, In fact, one code could be used to log in to almost any of the Google's Web properties because of Auto-login feature.
"So, given nothing but a username, an ASP, and a single request to https://android.clients.google.com/auth, we can log into any Google web property without any login prompt (or 2-step verification)"
The researchers have shared their findings with Google and they has fixed this security hole last week.
Leader at J2TEAM. Website: https://j2team.dev/

Đăng nhận xét

Cảm ơn bạn đã đọc bài viết!

- Bạn có gợi ý hoặc bình luận xin chia sẻ bên dưới.

- Hãy viết tiếng Việt có dấu nếu có thể!