Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Oct 9, 2011

A Google 2-step verification vulnerability

Early this year Google started rolling out their new two-factor authentication procedure, which they refer to as 2-step verification. On their corporate blog they provided a few hints on why they were rolling out a new authentication procedure — mentioning risks associated with password reuse and phishing attacks. 2-step verification is now widely deployed, by June it was available in 150 countries, and in 40 different languages.

Of course, I took interest in how the two-step verification was designed and I discovered a couple of design issues. In addition I discovered a security flaw that qualified for Google's vulnerability reward program, so I engaged in a responsible disclosure process with Google. Now they've fixed the bug, my reward has been donated to charity, and I've received my 19 bytes of fame, so I guess it's time to blog about this. I'll focus on the security bug here, and blog about the design issues later. I need to do some investigation to see whether Google fixed any of them or not, as they reported that they were re-evaluating some of their design decisions.

If you're unfamiliar with how the two-step verification works, see Google's video below (borrowed from Getting started with 2-step verification).



Now, straight to the point.


The never ending cookie
After you've enabled two-step verification, you'll have to supply a verification code once you've entered your username and password. Note that you can select "Remember this computer for 30 days".


When clicking "Verify", the code would be posted back to Google, and the following response would set a cookie configured to live for 30 days in the browser. Here's the actual cookie used to demonstrate the security bug (I've truncated its value for readability, and other obvious reasons):

Set-Cookie: SMSV=ADHTe-...; Expires=Sat, 02-Apr-2011 14:03:26 GMT; Path=/accounts; Secure; HttpOnly

As you can see, it was set to expire on Saturday, April 2. Here's the note I sent to Google do describe the problem:
I took interest in the option to "remember" the two-step verification for 30 days. Naturally, I've been looking at the cookies used for this purpose, and noticed the cookie set when supplying a valid OTP:
POST /accounts/SmsAuth?persistent=yes HTTP/1.1
Set-Cookie: SMSV=ADHTe-...; Expires=Sat, 02-Apr-2011 14:03:26 GMT; Path=/accounts; Secure; HttpOnly
Today, I reused the above mentioned cookie, which was set to expire in april, four months ago. The cookie still works like a charm, I'm not required to provide a fresh OTP on login, as long as the cookie is set.
"Today" was August 6, so the cookie could definitely be used also after its expiration date. So what went wrong? The problem was that the cookie itself either:

  1. Did not include its lifetime as part of its value, enabling a server side validation of its validity. 
  2. It did include its lifetime, but it was not validated on the server.
The effect was that the lifetime of the cookie was controlled by the browser, and not server side, yielding an "eternal" cookie. This was not Google's intention, and they reported that they "moved quickly" to fix this.


What was the risk?
If we consider the threats that Google specifically mention on their blog, this was not a severe risk. In the case of password reuse across sites, this vulnerability does not reduce the usefulness of the two-step verification. An attacker who stole your password from another site would still need to obtain one of your verification codes (or a verification cookie) to be able to access your account.

The same goes for an attacker that has obtained your username and password through a phishing attack, she would still need to obtain a verification code to compromise your account.

This vulnerability let a (malicious) user circumvent the re-authentication mechanism in 2-step verification. After 30 days, the user must prove yet again that she possesses the mobile phone required to log in to the Google account, assuring that it's still the correct person who's logged in. Re-authentication could be circumvented since it was enforced by the browser. Now it is enforced on the server instead.

And how did Google react?
I have to say, the Google security team was very professional throughout the process. Their e-mails were polite and forthcoming — they were quite open about some of the design choices they'd made. Apparently there was one person assigned to my particular case, which made the follow ups more personal. Thanks to both Adam on the Google security team, and the 2-step verification team!

So, that was the story of my first vulnerability reward-winning bug. In a week or two I'll blog about some design issues that, in my opinion, might have a much larger impact on security.

82 comments:

  1. I have a concern about 2 step verification. Only last week our company was hit by a phishing website attack that fooled our accountant into thinking he was logging into their bank, when in fact he was logging into a fake web site.

    How would 2 step verification stop this? In my mind, the phishing site would simply pass through the login info immediately to the real website, our accountant would get his verification code and enter that into the fake site, and the fake site would push that through to the real bank site as well... Am I missing something here?

    ReplyDelete
    Replies
    1. Hi,

      Thanks for leaving a comment, your concern is highly relevant. I've been working with online banking security the last couple of years, so I'll share some insights.

      As with other security measures, two-factor authentication is no silver bullet. Still, it's an important piece of the security puzzle for an online bank as it raises the bar for an attacker attempting to transfer money from an account. I gave a talk last year about some of the adjustments we did at the online bank I was working for — in response to some significant developments in trojan functionality. You might want to check it out, you'll find it under "Talks" but here's the direct link: http://www.slideshare.net/klingsen/110502-dnd-isacaisfonlinebankingtrojans

      Trojan attacks are somewhat similar to phishing attacks in that they try to steal a user's password along with several verification codes, so the Trojan countermeasures are highly relevant also for phishing attacks.

      As you point out, if the user gives away the password along with verification codes that's not particularly good for security. However, most banks will require additional codes to transfer actual money from the account — raising the bar for the attackers. Now, there are also other hurdles for an attacker before an attack is successfull and money is transfered. I can't go into specifics, but there are two main categories of security measures, you can try to prevent fraud from happening, or try to detect it in a timely manner. Banks do both.

      Preventive measures are e.g. the verfication codes, which raises the bar for an attacker and requires user interaction. This gives the user a chance to get the feeling that "something funny is going on." If you look at my slides you'll see that we shared information about the transaction through SMS to the user — increasing the likelihood of the user detecting the attack.

      One might argue that this is "detection", but I draw the line at an attempt to transfer money by the attacker. If the user detects the attack and refuses to give up verification codes, the attack has been prevented from the bank's point of view.

      Now, the user might not detect the attack and willingly gives up verification codes. The result will be an attempt to transfer money, and fraud detection comes into play. Note that fraud attacks have existed since the very beginning of banking systems so the problem is far from new. Phishing and Trojan attacks are simply a "new" form of malicious transfers. Banks have been dealing with fraud for ages and have adapted to the new threat. It's worth noting that money is seldom transferred instantly, so there's a reasonable time window to detect the transfer and stop it.

      I can't go into more specifics, but I hope I shed some light on what "makes up" the security of an online bank. Threats are constantly evolving and banks need to adapt their security measures accordingly. As always, you need layers of defense to survive on the Internet.

      I hope everything turned out ok for your colleague!

      Delete
  2. Google seems to have quietly removed the "Remember this computer for 30 days" option and replaced it with a "Don't ask for codes again on this computer" option that apparently never expires. It's been a lot more than 30 days since the last time I was asked for a verification code.

    No doubt Google made the change to make 2-step verification more attractive to the average user, but it is actually a disconcerting change to me. Now I need to be more careful about whether I check that box when logging into strange PCs. And I wonder what would happen if a hacker got a hold of my password and one of those cookies. Ideally Google would let me set the expiration for my account.

    ReplyDelete
    Replies
    1. Hi Jacob and thanks for leaving a comment.

      I see that they've changed how 2-step verification works and that the option is now "Trust this computer". You're right, if someone gets hold of your password, along with your cookies or a one time code, that probably means permanent access to your account.

      As I mention in the blog post it seems Google focus primarily on phishing attacks. And for phishing attacks this is not a very problematic change unless the attackers are also able to phish a one time code and use it in near real time. For other types of attacks the change is not so beneficial, for example trojans stealing credentials.

      I've been meaning for some time to write a post discussing the various approaches to authentication that we see from the big players on the Internet. I think I'll have to find some time soon, there's some interesting things going on out there!

      Delete
  3. I have the two step verification turned on and each time I sign in, I select the "don't ask for codes again from this computer" but this feature never works for me! I still get asked for codes when signing in EVERY time, it don't matter if I had signed in an hour or even a minute before (it even just happened when trying to publish this post even though I had previously been signed in on my computer!) It doesn't seem to "remember" my computer or any of my other devices (phone or iPad). Am I the only one on the planet with this issue? Can anyone shed some light? Thanks in advance....

    ReplyDelete
    Replies
    1. *doesn't matter .... sorry that was a typo, not poor English!

      Delete
    2. Hi Kelly,

      from your description this seems to have something to do with your browser settings. Have you set the "delete cookies on exit" configuration option in your browser?

      The two step verification process sets a cookie in your browser in order to "remember it", whenever you log in and this cookie is missing you'll be asked for a new code. You could try this from another browser and see if the problem persists.

      As for the iPad, if you're using Safari in "private mode", I assume that could cause this behaviour.

      Hope that helps!

      Delete
  4. I think Google should NOT default to the 'trust this computer for future logins'. In the case you would like to retain the 2 step feature, every single time you login you must deselect and It's requiring an additional step. To reset the security settings requires too much effort and not possible to remember what computers you have allowed and what you have not.

    ReplyDelete
    Replies
    1. I agree: Google should NOT default to the 'trust this computer for future logins

      Delete
  5. You can find lots of great articles on close topics at https://nerdymates.com/blog/article-review

    ReplyDelete
  6. I agree: Google should NOT default to the 'trust this computer for future logins

    Send Flowers To Colombia

    ReplyDelete
  7. I really enjoyed reading your article. I found this as an informative and interesting post, so i think it is very useful and knowledgeable. send gifts to pakistan from usa.

    ReplyDelete
  8. Thanks for this article very helpful. thanks. Verifications IO

    ReplyDelete
  9. A VIN verification is an important part of registering your vehicle in California. Discover what type of transactions require VIN verifications and who is authorized to complete the verification. 슈어맨,토토사이트

    ReplyDelete
  10. I have read about this and know about it very much. I see this clip more know this makes me know more about it. gclub

    ReplyDelete
  11. But it's not as easy as just calling up an employment verification company and passing the baton - there's still a lot you need to know 슈어맨

    ReplyDelete
  12. I got what you mean , thanks for posting .Woh I am happy to find this website through google. Dominoqq

    ReplyDelete
  13. To continue irritating application notices under control, you can incapacitate the notices. You can undoubtedly do this from the play store settings.
    https://giftcardprizes.com/google-play-gift-card-free-generator/

    ReplyDelete
  14. Thanks for your sharing. Hope you can contribute more quality posts to this page. Thank you!
    run 3

    ReplyDelete
  15. This comment has been removed by the author.

    ReplyDelete
  16. thanks for your sharing i like you post

    ReplyDelete
  17. The authority App Store is the place you get all your applications and recreations for your gadget. ac Market is one such option App Store for Android clients where they can get practically all the applications and diversions that they need.

    ReplyDelete
  18. hello!! Very interesting discussion glad that I came across such informative post. Keep up the good work friend. Glad to be part of your net community. cara main poker

    ReplyDelete
  19. I would like to thanks for sharing the high-value article with us and I hope you'll publish more article like this type of post.Career Mistakes based on your Zodiac Sign

    ReplyDelete
  20. Students while completing their assignments might be required to avail Nursing Assignment Help, SWOT Analysis Help, Market Conditions Homework help, and comment on or Design New Product Assignment help. Alternately, students might not just only want online assignment help but might also want economics teaching help so as to better understand the subject. while seeking Biology assignment help online might be necessary to keep up with the course load, developing personal expertise and knowledge in project management assignments is also vital.

    ReplyDelete
  21. What a fantabulous post this has been. Never seen this kind of useful post. I am grateful to you and expect more number of posts like these. Thank you very much. 토토사이트

    ReplyDelete
  22. Having a reasonable thought of the classification into which your blessing will fall, consequently, is the initial phase in picking the correct present for your planned beneficiary. blomster bamse

    ReplyDelete
  23. I am usually to blogging i really appreciate your posts. Your content has really peaks my interest. I’m going to bookmark your website and keep checking achievable information. fortnite v bucks generator

    ReplyDelete
  24. Your blog is quite informative and creative at the same time. These are the two qualities especially help every content to become the most readable of all. However, these qualities are difficult to acquire which is the reason why students opt for assignment help services to get their queries solved within the time specified. My Assignment Services is widely preferred by students if they are looking for assignment Australia queries over the internet. We have more than 2000 professional experts who are available 24x7 to help you with all types of queries in giving you the assignment requirements and strictly adhering to the marking rubrics. My Assignment Services is a professional Australian assignment help service provider who has been expanding its services across the world. You can contact their experts by visiting their website at My Assignment Services if you come across any query related to any type of assignment and any subject.

    ReplyDelete
  25. Thank you for taking the time to publish this information very useful! sbobet

    ReplyDelete
  26. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info
    things to do

    ReplyDelete
  27. Thanks for this valuable information sharing, and i learned a lot and cleared my all doubts in this.. keep posting like this useful information.
    post free classified ads in india

    ReplyDelete
  28. Thanks for picking out the time to discuss this, I feel great about it and love studying more on this topic. It is extremely helpful for me. Thanks for such a valuable help again. 먹튀

    ReplyDelete
  29. The article was up to the point and described the information very effectively. Thanks to blog author for wonderful and informative post.
    CCTV Service Pakistan

    ReplyDelete
  30. That is really nice to hear. thank you for the update and good luck. Buy Pinterest Followers

    ReplyDelete
  31. Thanks for the post! Very useful!
    sizzling hot deluxe

    ReplyDelete
  32. Your feedback helps me a lot, A very meaningful event, I hope everything will go well

    ReplyDelete
  33. When it comes to your academic dreams and grades we try to give our best by supporting you in completing your college assignments.
    Our administrative experts work dedicatedly and passionately to provide top quality essay writing help to the students. Meticulous paper structures,
    subject matter relevance, free from grammatical errors are main characteristics that our highly experienced and talented writers endeavor for.
    Still drowning in the worry to complete your college assignments?

    Assignment helpers Online

    ReplyDelete
  34. The ultimate goal of descriptive essay help services is to provide Descriptive Essay Writing Services and descriptive essay services since descriptive essay writing help seekers lack time to complete their custom descriptive essay writing services.

    ReplyDelete
  35. This service is very useful for us because through this, we can save our data from hackers and no one can open our documents and this is a great service. I am also using it and satisfied with its features. Master dissertation writing service.

    ReplyDelete
  36. Most of the students are fascinated with opting Law as a career. A good academic record leads to a good placement also. Unique Submission law assignment writing help services are here to take off the burden of multiple assignment writing topics from your shoulders. Here our law subject expert writers will ensure to get you peerless outcomes with their law assignments help on the comprehensive writing academic field.

    Law assignment writing help


    ReplyDelete
  37. Opting Operations management as a career has been a popular choice in management students. Unique Submission endeavors to yield best assignment on operation

    management service to the students seeking to become operations manager. As completing academic assignments become tiresome for students they are in

    continuous search for help.

    Operations Assignment writing services


    ReplyDelete
  38. Let us revive your business with our custom mobile app development services.

    ReplyDelete
  39. With the use of Affordable Writing Services Online Students can get help for their Assignments. Always go for the Best Essay Writing Services from the company that offers Academic Essay Writing Services At the lowest cost.

    ReplyDelete
  40. This is Google's amazing feature because through this, you can save your data from hackers because due to two-step verification, they can't get access to your Gmail account. You can use your account without any confusion. Dissertation writing service.

    ReplyDelete
  41. Excellent post. I was checking constantly this blog and I am impressed!
    Extremely helpful info specifically the last part
    I care for such info much. I was seeking this particular info for a very long time.
    Thank you and good luck.
    easeus todo backup crack
    solveigmm video splitter crack
    active file recovery crack
    soft maker 2021 crack
    razer game booster crack

    ReplyDelete
  42. This is my first post. I really like this blog. I'm reading this post from my I-Phone and it looks great! Also read this article Plastering Sand Bangalore

    ReplyDelete
  43. You are so interesting! I do not believe I’ve read through something like that before. So wonderful to discover another person with unique thoughts on this subject. Really.. thank you for starting this up. This web site is something that is needed on the internet, someone with a bit of originality! If you are searching for Assignment Writing Services UK, We provide you the Best Assignment Help in the UK by expert academic writers. Our assignment helpers aim to provide 100% plagiarism free assignment help. For more services:-
    Most Reliable Assignment Helpers
    Treat Assignment Help in zombiepumpkins
    best Essay Writing Services
    Assignment Writing Help in UK
    Online Assignment Help UK

    ReplyDelete
  44. I really love your blog.. Great colors & theme.
    Did you develop this website yourself? Please reply
    back as I’m hoping to create my own site and would love to know
    where you got this from or just what the theme is named.
    Thank you!
    openvpn crack

    ReplyDelete
  45. Our research paper assignment help follow an absolutely constructive method of paper composition, which allows them to cover every vital aspect of research.

    ReplyDelete
  46. Don't search more for the document Translation Service USA, you can get it's best service at Global Translation Help. We work with the world's best experts and they are giving top services and can full fill all your demands. Our experts are online to give you translation services and they are giving 24x7 online facility. Every day we are working to offer best document translation services always.

    ReplyDelete
  47. If you are searching like best assignment writing service UK then you can get at studentsassignmethelp.co.uk. It has over 2000 expert writers who are the best in their field and have received a high number of positive feedback from UK students. If you employ a writer from SAH, you can contact them at any time via phone, email, or live chat. They are available 24 hours a day, 7 days a week to assist you. They often academic writing help, online exam help,research paper writing,essay writing, online exam help,and thesis writing,homework, research paper writing,case study, dissertation writing addition to assignment with 100% plagiarism free at a very low cost.

    ReplyDelete

  48. Constitutional Law Assignment Help

    Get Constitutional Law Assignment Help online from Best Assignment Experts because we have hired the best responsible experienced team who works 24*7 hours to submit work on time. Our professors, Constitutional Law Assignment Help specialists, and experts charge very little and cheap and offer great quality and 100 % customized assignments help. We submit assignments with theories.

    Contact Us: +65-91753078

    ReplyDelete
  49. You Can Also Download Free Software & Mac
    https://tijacrack.com/solveigmm-video-splitter-crack/

    ReplyDelete
  50. It’s not my first time to pay a quick visit this web
    site, i am visiting this site dailly and obtain fastidious data from here
    daily.
    VMware Fusion Pro Crack
    Power Archiver Crack
    Corel Painter Crack
    UMT Dongle Crack
    SolveigMM Video Splitter Crack
    cracksite.net

    ReplyDelete

  51. Packers and Movers Chennai Give Safe and Reliable ***Household Shifting Services in Chennai with Reasonable ###Packers and Movers Price Quotation. We Provide Household Shifting, Office Relocation, ✔✔✔Local and Domestic Transportation Services, Affordable and Reliable Shifting Service Charges @ Packers And Movers Chennai

    ReplyDelete
  52. This site has particular software articles which emit an impression of being significant
    and significant for you individual, able software installation.
    This is the spot you can get help for any software installation, usage, and crack.
    Folder Lock Crack
    Virtual DJ Crack
    Better File Rename Crack
    BS.Player Pro Crack
    InPixio Photo Focus Crack

    ReplyDelete
  53. "이용이유가생기는곳 먹튀검증 안전노리터 go"

    ReplyDelete
  54. 검증카 먹튀검증 안전놀이터

    ReplyDelete
  55. จุดเด่นของ เกมสล็อตทดลองเล่นอย่าง ลึกซึ้ง ทำให้เกมของเรา มีคุณภาพทั้งเรื่อง กราฟิกสีสันของเกม ซึ่งทาง BETFLIX เสนอและสอนวิธีเล่น

    ReplyDelete
  56. We provide expert Cyber Security Services by nurturing individuals to accessto on-going simulated campaigns that validate your skills.

    ReplyDelete



  57. Thanks for this. I really like what you've posted here and wish you the best of luck with this blog! Also read this article.M sand Suppliers in bangalore

    ReplyDelete
  58. Thank you for sharing this nice information
    Looking for Assignment Help choose Assignmenthelpaus.com for Case Study Help in Australia. Hire our experts and get most affordable price Assignment Writing Help. We deliver 100% original and well- research content. For more information visit us https://assignmenthelpaus.com/

    ReplyDelete
  59. Thank you for this informative post
    Do you need Management Assignment Help from top experts? Don’t worry hire our experts and get most low price Assignment Writing Help in worldwide. We have team of professional experts. Our team of dedicated experts are available 24*7 for assist you. Visit us now

    ReplyDelete
  60. Thank you for sharing this useful blog
    Looking for Assignment Help UAE from top dedicated experts? Choose QnA Assignment Help and get most reasonable price Assignment Writing service in UAE and worldwide. QnA Assignment Help is available 24*7 hours. For more information visit us now.

    ReplyDelete
  61. Thanks for sharing such great information. It was really helpful to me. I always search to read quality content and finally I found this in your post. keep it up!
    Domain Name Renewal

    ReplyDelete
  62. I am very satisfied of this website. I visit it daily. I read it daily. I like so much.

    ReplyDelete

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts