For some time, attackers had the ability to bypass Google’s two-step authentication system through access to users’ app-specific passwords, giving them full access to victims’ Google accounts, including Gmail. The vulnerability that enables this attack, discovered by researchers from DuoSecurity, has been patched by Google.
Attackers with knowledge of the seven month old vulnerability could have stolen or guessed a user’s application-specific password and exploited Android’s auto-login feature to take control of that user’s entire Google profile without having to pass Google’s secondary authentication mechanism. Of course, once an attacker has this access, he can then reset the master password, disable two factor-authentication, or change any other account setting for that matter. Google resolved the flaw with a security patch when they shipped out their Chrome 25 update on Thursday of last week.
Application specific passwords are those that are created in order to grant users access to their Google account resources via certain applications. According to DuoSecurity, Google requires that users create application specific passwords for each application that doesn’t support Google’s two-step login. This requirement is generally imposed upon apps that don’t require web-based login, like email clients using IMAP, SMTP, chat clients that communicate via extensible messaging and presence protocol and calendar apps that sync via CalDAV.
“In recent versions of Android (and ChromeOS), Google has included, in their browser, an “auto-login” mechanism for Google accounts. After you’ve linked your device to a Google account, the browser will let you use your device’s existing authorization to skip Google’s web-based sign-on prompts,” Duo Security CEO Jon Oberheide said in a blog explaining the details of the bug and the attack.
“Until late last week, this auto-login mechanism worked even for the most sensitive parts of Google’s account-settings portal. This included the “Account recovery options” page, on which you can add or edit the email addresses and phone numbers to which Google might send password-reset messages. In short, if you can access the “Account recovery options” page for a Google account, then you can seize complete control of that account from its rightful owner.”
Despite the existence of a patch for the bug, Oberheide is warning that Google application users employing two-factor authentication should remain wary considering the broad account access granted to users once they are successfully logged into one of those apps.
The vulnerability could affect Google users on traditional, desktop platforms but only after the vulnerability is exploited and the victim’s account password or email recovery settings are altered.
The bug leveraged Android’s auto-login mechanism to bypass two-factor authentication. According to Duo Security, if a user has linked their Android device to their Google account, the Chrome browser will use local-device authentication to override Google’s two-factor authentication. In other words, if an attacker can gain access to an Android device, then they can access the owner’s “account recovery options,” make necessary changes to passwords and recovery email addresses, and seize complete control of a victim’s account.
“We think it’s a rather significant hole in a strong authentication system if a user still has some form of “password” that is sufficient to take over full control of his account. However, we’re still confident that — even before rolling out their fix — enabling Google’s 2-step verification was unequivocally better than not doing so,” Oberheide said.