Monday, February 27, 2012

Major Security Loophole In 2-Step Authentication

Hello to whom this may concern.,
As i was exploring around after setting up the Google 2-Step Authentication, I discovered that anyone can just obtain the application-specific password and login into gmail with their typical web browser, without the verification key even if you have enabled 2-step verification.

If you login from your web browser with the application-specific password, Google's browser login page will prevent you from doing so. However, if you take one's username and application-specific password and login using the Google Notifier for Mac, it will continue its login.

Now, this is just the mail notifier... we need to access the actual account inside the browser right? Well, simply go to the Google Notifier icon on the Menu Bar, and click "Go to Inbox." Done. Authenticated. Verification code unnecessary.

What's even more alarming is that the application-specific passwords, after doing a small test myself, is that the verification server allows the same application-specific password to be used more than once. Now I can see that this is necessary as some client programs require constant calling to their network with an authenticated username/password, thus a must for the application-specific password to be accessible multiple times. But if this is the case (that accounts can easily be accessed using the above-mentioned method, then fixing the Google Notifier will fix the issue right?
Not really.
1) If I save the installer for this version of Google Notifier, then I can still use it to access accounts without the verification key, and that updates to the Google Notifier program will probably not fix the issue.

2) All of this poses an evengreater question... that is, How secure are the google authentication layers?

If I can just bypass the Google 2-step key verification process so easily, then it seems that there is no actual gateway between the public and the private (logged in) data, but just a very security-fancy login page.

Also, any hacker can host a WiFi network, intercept the secret key used by the Google Notifier program to access one's Gmail without any other verification steps, immediately cut the real user's Internet connection before the open key is registered with the Google authentication servers, and taking the same open key and using it for oneself [intruder], thus making one's Gmail account highly vulnerable to unknown intruders.

However this last intercepting method maynot really work depending on whether the Google Notifier communicates with the Google servers through an SSL encryption. But even if an SSL encryption was used, this can imply that our Gmail accounts' security are based solely on the 128-bit SSL security or whatever so-called 'secure connection' the Google Notifier uses...

Be safe..


Post a Comment

Design by Secure Hackers