Application-specific passwords weaken Google’s two-factor authentication, researchers say - andersonarou1937

Researchers from two-factor authentication provider Dyad Security measures found a loophole in Google's authentication system that allowed them to get around the company's 2-step login verification aside abusing the uncomparable passwords wont to connect individual applications to Google accounts.

Accordant to the Duo Security researchers, Google fixed the defect on Feb. 21, merely the incident highlights the fact that Google's application-specific passwords don't provide granular control over account data.

When enabled, Google's 2-step verification arrangement requires the input of unique codes in addition to the account's regular password in order to log in. This is designed to preclude accounts from being hijacked straight when the parole is compromised. The unique codes seat either be received at a telephone set number connected with the describe or can be generated using a smartphone applications programme.

However, 2-step verification only works when logging in through Google's site. In order to accommodate background e-mail clients, chat programs, calendar applications and then happening, Google introduced the conception of application-specific passwords (ASPs). These are randomly-generated passwords that allow applications to access the account without the involve of a second hallmark factor. ASPs lav be revoked at any time without changing the account's main password.

The problem is, "ASPs are—in terms of enforcement—non really application-taxon at all!" the Couple Security researchers said Monday in a blog post. "If you create an ASP for use in (for example) an XMPP chat guest, that same ASP can also be used to take your electronic mail complete IMAP, or take hold of your calendar events with CalDAV."

The researchers found a defect in the auto-login mechanism enforced in Chrome in the latest versions of Mechanical man that allowed them to use of goods and services an ASP to gain entree to a Google account's recovery and 2-step verification settings.

In essence, the flaw could give birth allowed an attacker who stole an ASP for a Google account to change the mobile headphone number and recovery email handle associated with that account or justified disable 2-step verification all.

"Relinquished nothing but a username, an ASP, and a single request to https://android.clients.Google.com/auth, we can logarithm into any Google web attribute without any login prompt (or 2-step verification)!" the Duo Security researchers said. "This is no thirster the subject as of February 21st, when Google engineers pushed a posit to conclude this loophole."

In addition to fix the issue, Google apparently besides changed the message displayed aft generating an application-specific word in order to warn users that "this password grants fill out access to your Google Account."

"We conceive IT's a rather epoch-making hole in a irregular authentication system if a user still has some form of 'password' that is sufficient to take over pregnant control of his account," the Duad Security researchers said. "Notwithstandin, we'ray still surefooted that—yet before rolling verboten their fix—enabling Google's 2-step verification was unambiguously amend than non doing then."

That said, the researchers would like-minded to see Google follow up some good-hearted of mechanism similar to OAuth tokens that would permit restricting the privileges of every individual diligence-specific password.

Google did non in real time answer to a request for notice about this flaw operating theater possible plans to follow out Sir Thomas More granular control for application-specific passwords in the future.