Forgot your password?
typodupeerror
Google Security Technology

Bypassing Google's Two-Factor Authentication 49

Posted by timothy
from the disclaimer-dug-song-is-a-genius-monkey dept.
An anonymous reader writes "The team at Duo Security figured out how to bypass Google's two-factor authentication, abusing Google's application-specific passwords. Curiously, this means that application-specific passwords are actually more powerful than users' regular passwords, as they can be used to disable the second factor entirely to gain control of an account. Duo [publicly released this exploit Monday] after Google fixed this last week — seven months after initially replying that this was expected behavior!"
This discussion has been archived. No new comments can be posted.

Bypassing Google's Two-Factor Authentication

Comments Filter:
  • by F.Ultra (1673484) on Tuesday February 26, 2013 @11:56AM (#43014739)

    Since the regular password as been changed to require an additional two-factor password they of course had to come up with this ASP idea for services where you cannot provide a two factor authentication and of course these have to be more powerful than the password that you now changed into a two factor. How can this be a surprise at all?

  • by cgimusic (2788705) on Tuesday February 26, 2013 @12:03PM (#43014825)
    To be fair I can sort of see Google's point. An application specific password is meant to be given to the application once and then never typed again, heavily reducing the chance of it being compromised. It should still not be possible to turn off 2 step auth or change the users password with one though but I have never assumed that it couldn't. Google makes it quite clear that the password grants full account access.
  • Re:Nice Guys! (Score:5, Insightful)

    by Anonymous Coward on Tuesday February 26, 2013 @12:21PM (#43015089)

    The generally accepted behavior is to:

    1. Report the bug to the developers.
    2. Work out a disclosure timeline and give them time to fix the problem.
    3. Disclose after the fix is released.

    Except when the developer at stage two says; 'that's not a bug' or, 'that's intended design', or FOAD' or they ignore you completely. Then the responsible thing is to disclose the bug so that everyone knows that it is an issue and stops using the service until the developer is forced to address the issue.

    In this case, Google said that it was by design. Meaning essentially that there was no fault/bug when there clearly was. At that point, with no expectation of it being fixed, Duo Security would have been well within the right to disclose and force Google's hand. Or, they could turn evil and profit from the exploit, since you seem to feel that they should not have disclosed a bug that Google was ignoring.

  • Re:Nice Guys! (Score:1, Insightful)

    by binarylarry (1338699) on Tuesday February 26, 2013 @01:37PM (#43015943)

    They're a Google Ventures company.

    Best not to bite that hand that feeds you.

  • by BlueMonk (101716) <BlueMonkMN@gmail.com> on Tuesday February 26, 2013 @03:58PM (#43017609) Homepage

    I think you're being over-critical of the commenter's diligence. There is some room for interpretation or confusion. Yes, application specific passwords are intended to provide single-step authentication to applications that don't participate in 2-step authentication. And yes, it's easy to gloss over the distinction between using an ASP to access application functions versus security aministration functions, and that's where the bug lies. Its easy to gloss over because ASPs were intended to replace 2-step authentication, and its a somewhat subtle point that this access should exclude administrative functions - subtle because that was never mentioned in the design/purpose of ASPs.

    So I think the commenter's confusion/question is fair to some extent: Google representatives themselves probably glossed over the distinction between limiting ASP access to app-level functionality versus ASP access to admin-level functionality leading to their initial response that it was working as intended. Now you say that the commenter should have made that distinction, and that's true with the help of this article, but there's still a gray area that I think the commenter is trying to point out. Not only is there a distinction between app-level access and admin-level access that ASPs should have been conscious of. There's also a distinction between app-level access and app-specific access. In other words, an application could be limited to access only data relevant to its specific operation (just email content, for example), or it could be limited to access only data relevant to *any* application-level operation (exclude all admin functionality, but allow access to all other data), or it functions just like a mechanism to bypass 2-step authentication, accessing all functionality (which Google now agrees is "buggy").

    The commenter acknowledges that yes, it would have been nice to have ASPs limited to app-specific functions, but notes that this level of refinement was never intended to be incorporated into ASPs. And I think the commenter is right on that point. My (and your) response to that however is the next level of distinction. This is not the level of distinction being called out in the article. I think the distinction is between app-level access versus admin-level access, not a reference to app-specific access. No application should have admin-level access when using an ASP. That's less of an enhancement and more of a security flaw when you get to that level of security hole.

* * * * * THIS TERMINAL IS IN USE * * * * *

Working...