2012/07/16: Duo researchers confirm presence of ASP weakness.
2012/07/18: Issue reported to email@example.com.
2012/07/20: Communication with Google Security Team clarifying the issue.
2012/07/24: Issue is confirmed and deemed “expected behavior” by Google Security Team.
2013/02/21: Fix is pushed by Google to prevent ASP-initiated sessions from accessing sensitive account interfaces.
2013/02/25: Public disclosure by Duo.
Better late then never they say. And boy is Google late.
Seven months after being advised of a vulnerability that could, theoretically speaking, allow an attacker into a Google account protected by two-factor authentication and the search giant have finally fixed it. Hurrah!
With two-factor authentication enabled Google would require an additional one use password, and mobile to which it was delivered, in order to let a user into their account. This password would be delivered by text message or smart phone app and would protect the account should the main login credentials be hacked.
All sounds good but not all applications are set up for two-factor authentication. Therefore a workaround was allowed which was application specific passwords (ASP). The problem with this though is that if the ASP is intercepted by a bad guy he will then have access to contacts, emails, etc, etc without requiring the one time password which is a real big problem because –
“As it turns out, ASPs can do much, much more than simply access your email over IMAP. In fact, an ASP can be used to log into almost any of Google’s web properties and access privileged account interfaces, in a way that bypasses 2-step verification!”
But at least this issue is now fixed, albeit some 7 months and 9 days after Duo Security brought it to Google’s attention.