Of course, I took interest in how the two-step verification was designed and I discovered a couple of design issues. In addition I discovered a security flaw that qualified for Google's vulnerability reward program, so I engaged in a responsible disclosure process with Google. Now they've fixed the bug, my reward has been donated to charity, and I've received my 19 bytes of fame, so I guess it's time to blog about this. I'll focus on the security bug here, and blog about the design issues later. I need to do some investigation to see whether Google fixed any of them or not, as they reported that they were re-evaluating some of their design decisions.
If you're unfamiliar with how the two-step verification works, see Google's video below (borrowed from Getting started with 2-step verification).
The never ending cookie
After you've enabled two-step verification, you'll have to supply a verification code once you've entered your username and password. Note that you can select "Remember this computer for 30 days".
When clicking "Verify", the code would be posted back to Google, and the following response would set a cookie configured to live for 30 days in the browser. Here's the actual cookie used to demonstrate the security bug (I've truncated its value for readability, and other obvious reasons):
Set-Cookie: SMSV=ADHTe-...; Expires=Sat, 02-Apr-2011 14:03:26 GMT; Path=/accounts; Secure; HttpOnly
As you can see, it was set to expire on Saturday, April 2. Here's the note I sent to Google do describe the problem:
"Today" was August 6, so the cookie could definitely be used also after its expiration date. So what went wrong? The problem was that the cookie itself either:I took interest in the option to "remember" the two-step verification for 30 days. Naturally, I've been looking at the cookies used for this purpose, and noticed the cookie set when supplying a valid OTP:POST /accounts/SmsAuth?persistent=yes HTTP/1.1Set-Cookie: SMSV=ADHTe-...; Expires=Sat, 02-Apr-2011 14:03:26 GMT; Path=/accounts; Secure; HttpOnlyToday, I reused the above mentioned cookie, which was set to expire in april, four months ago. The cookie still works like a charm, I'm not required to provide a fresh OTP on login, as long as the cookie is set.
- Did not include its lifetime as part of its value, enabling a server side validation of its validity.
- It did include its lifetime, but it was not validated on the server.
The effect was that the lifetime of the cookie was controlled by the browser, and not server side, yielding an "eternal" cookie. This was not Google's intention, and they reported that they "moved quickly" to fix this.
What was the risk?
If we consider the threats that Google specifically mention on their blog, this was not a severe risk. In the case of password reuse across sites, this vulnerability does not reduce the usefulness of the two-step verification. An attacker who stole your password from another site would still need to obtain one of your verification codes (or a verification cookie) to be able to access your account.
The same goes for an attacker that has obtained your username and password through a phishing attack, she would still need to obtain a verification code to compromise your account.
This vulnerability let a (malicious) user circumvent the re-authentication mechanism in 2-step verification. After 30 days, the user must prove yet again that she possesses the mobile phone required to log in to the Google account, assuring that it's still the correct person who's logged in. Re-authentication could be circumvented since it was enforced by the browser. Now it is enforced on the server instead.
And how did Google react?
I have to say, the Google security team was very professional throughout the process. Their e-mails were polite and forthcoming — they were quite open about some of the design choices they'd made. Apparently there was one person assigned to my particular case, which made the follow ups more personal. Thanks to both Adam on the Google security team, and the 2-step verification team!
So, that was the story of my first vulnerability reward-winning bug. In a week or two I'll blog about some design issues that, in my opinion, might have a much larger impact on security.
I have a concern about 2 step verification. Only last week our company was hit by a phishing website attack that fooled our accountant into thinking he was logging into their bank, when in fact he was logging into a fake web site.
ReplyDeleteHow would 2 step verification stop this? In my mind, the phishing site would simply pass through the login info immediately to the real website, our accountant would get his verification code and enter that into the fake site, and the fake site would push that through to the real bank site as well... Am I missing something here?
Hi,
DeleteThanks for leaving a comment, your concern is highly relevant. I've been working with online banking security the last couple of years, so I'll share some insights.
As with other security measures, two-factor authentication is no silver bullet. Still, it's an important piece of the security puzzle for an online bank as it raises the bar for an attacker attempting to transfer money from an account. I gave a talk last year about some of the adjustments we did at the online bank I was working for — in response to some significant developments in trojan functionality. You might want to check it out, you'll find it under "Talks" but here's the direct link: http://www.slideshare.net/klingsen/110502-dnd-isacaisfonlinebankingtrojans
Trojan attacks are somewhat similar to phishing attacks in that they try to steal a user's password along with several verification codes, so the Trojan countermeasures are highly relevant also for phishing attacks.
As you point out, if the user gives away the password along with verification codes that's not particularly good for security. However, most banks will require additional codes to transfer actual money from the account — raising the bar for the attackers. Now, there are also other hurdles for an attacker before an attack is successfull and money is transfered. I can't go into specifics, but there are two main categories of security measures, you can try to prevent fraud from happening, or try to detect it in a timely manner. Banks do both.
Preventive measures are e.g. the verfication codes, which raises the bar for an attacker and requires user interaction. This gives the user a chance to get the feeling that "something funny is going on." If you look at my slides you'll see that we shared information about the transaction through SMS to the user — increasing the likelihood of the user detecting the attack.
One might argue that this is "detection", but I draw the line at an attempt to transfer money by the attacker. If the user detects the attack and refuses to give up verification codes, the attack has been prevented from the bank's point of view.
Now, the user might not detect the attack and willingly gives up verification codes. The result will be an attempt to transfer money, and fraud detection comes into play. Note that fraud attacks have existed since the very beginning of banking systems so the problem is far from new. Phishing and Trojan attacks are simply a "new" form of malicious transfers. Banks have been dealing with fraud for ages and have adapted to the new threat. It's worth noting that money is seldom transferred instantly, so there's a reasonable time window to detect the transfer and stop it.
I can't go into more specifics, but I hope I shed some light on what "makes up" the security of an online bank. Threats are constantly evolving and banks need to adapt their security measures accordingly. As always, you need layers of defense to survive on the Internet.
I hope everything turned out ok for your colleague!
Deleteدانلود آهنگ touch it ریمیکس tik tok
Google seems to have quietly removed the "Remember this computer for 30 days" option and replaced it with a "Don't ask for codes again on this computer" option that apparently never expires. It's been a lot more than 30 days since the last time I was asked for a verification code.
ReplyDeleteNo doubt Google made the change to make 2-step verification more attractive to the average user, but it is actually a disconcerting change to me. Now I need to be more careful about whether I check that box when logging into strange PCs. And I wonder what would happen if a hacker got a hold of my password and one of those cookies. Ideally Google would let me set the expiration for my account.
Hi Jacob and thanks for leaving a comment.
DeleteI see that they've changed how 2-step verification works and that the option is now "Trust this computer". You're right, if someone gets hold of your password, along with your cookies or a one time code, that probably means permanent access to your account.
As I mention in the blog post it seems Google focus primarily on phishing attacks. And for phishing attacks this is not a very problematic change unless the attackers are also able to phish a one time code and use it in near real time. For other types of attacks the change is not so beneficial, for example trojans stealing credentials.
I've been meaning for some time to write a post discussing the various approaches to authentication that we see from the big players on the Internet. I think I'll have to find some time soon, there's some interesting things going on out there!
I have the two step verification turned on and each time I sign in, I select the "don't ask for codes again from this computer" but this feature never works for me! I still get asked for codes when signing in EVERY time, it don't matter if I had signed in an hour or even a minute before (it even just happened when trying to publish this post even though I had previously been signed in on my computer!) It doesn't seem to "remember" my computer or any of my other devices (phone or iPad). Am I the only one on the planet with this issue? Can anyone shed some light? Thanks in advance....
ReplyDelete*doesn't matter .... sorry that was a typo, not poor English!
DeleteHi Kelly,
Deletefrom your description this seems to have something to do with your browser settings. Have you set the "delete cookies on exit" configuration option in your browser?
The two step verification process sets a cookie in your browser in order to "remember it", whenever you log in and this cookie is missing you'll be asked for a new code. You could try this from another browser and see if the problem persists.
As for the iPad, if you're using Safari in "private mode", I assume that could cause this behaviour.
Hope that helps!
I think Google should NOT default to the 'trust this computer for future logins'. In the case you would like to retain the 2 step feature, every single time you login you must deselect and It's requiring an additional step. To reset the security settings requires too much effort and not possible to remember what computers you have allowed and what you have not.
ReplyDeleteI agree: Google should NOT default to the 'trust this computer for future logins
Deleteray ban sunglasses
ReplyDeletemichael kors handbags
michael kors outlet
ugg boots
columbia sportswear
coach factory outlet
michael kors outlet
kd shoes
pandora charms
michael kors uk
chenlina20170421
20170518 leilei3915
ReplyDeletemont blanc pens
pandora charms
coach factory outlet
michael kors handbags
lacoste shirts
mlb jerseys wholesale
polo shirts
michael kors outlet clearance
cheap mlb jerseys
ugg boots
You can find lots of great articles on close topics at https://nerdymates.com/blog/article-review
ReplyDeleteI agree: Google should NOT default to the 'trust this computer for future logins
ReplyDeleteSend Flowers To Colombia
Thanks for this article very helpful. thanks. Verifications IO
ReplyDeleteA VIN verification is an important part of registering your vehicle in California. Discover what type of transactions require VIN verifications and who is authorized to complete the verification. 슈어맨,토토사이트
ReplyDeleteI have read about this and know about it very much. I see this clip more know this makes me know more about it. gclub
ReplyDeleteBut it's not as easy as just calling up an employment verification company and passing the baton - there's still a lot you need to know 슈어맨
ReplyDeleteI got what you mean , thanks for posting .Woh I am happy to find this website through google. Dominoqq
ReplyDeleteTo continue irritating application notices under control, you can incapacitate the notices. You can undoubtedly do this from the play store settings.
ReplyDeletehttps://giftcardprizes.com/google-play-gift-card-free-generator/
Thanks for your sharing. Hope you can contribute more quality posts to this page. Thank you!
ReplyDeleterun 3
This comment has been removed by the author.
ReplyDeletethanks for your sharing i like you post
ReplyDeleteThe authority App Store is the place you get all your applications and recreations for your gadget. ac Market is one such option App Store for Android clients where they can get practically all the applications and diversions that they need.
ReplyDeletehello!! Very interesting discussion glad that I came across such informative post. Keep up the good work friend. Glad to be part of your net community. cara main poker
ReplyDeleteI would like to thanks for sharing the high-value article with us and I hope you'll publish more article like this type of post.Career Mistakes based on your Zodiac Sign
ReplyDeleteHaving a reasonable thought of the classification into which your blessing will fall, consequently, is the initial phase in picking the correct present for your planned beneficiary. blomster bamse
ReplyDeleteI am usually to blogging i really appreciate your posts. Your content has really peaks my interest. I’m going to bookmark your website and keep checking achievable information. fortnite v bucks generator
ReplyDeletelouboutin shoes
ReplyDeletemichael kors handbags
christian louboutin shoes
coach outlet stores
kd shoes
christian louboutin outlet
adidas flux
fenty puma
jordan shoes
yeezy 500 blush
Thank you for taking the time to publish this information very useful! sbobet
ReplyDeletePretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info
ReplyDeletethings to do
Thanks for picking out the time to discuss this, I feel great about it and love studying more on this topic. It is extremely helpful for me. Thanks for such a valuable help again. 먹튀
ReplyDeleteThe article was up to the point and described the information very effectively. Thanks to blog author for wonderful and informative post.
ReplyDeleteCCTV Service Pakistan
That is really nice to hear. thank you for the update and good luck. Buy Pinterest Followers
ReplyDeleteThanks for the post! Very useful!
ReplyDeletesizzling hot deluxe
Your feedback helps me a lot, A very meaningful event, I hope everything will go well
ReplyDeleteThis service is very useful for us because through this, we can save our data from hackers and no one can open our documents and this is a great service. I am also using it and satisfied with its features. Master dissertation writing service.
ReplyDeleteLet us revive your business with our custom mobile app development services.
ReplyDeletevé máy bay tết giá rẻ
ReplyDeletevé máy bay đi Mỹ hạng thương gia
vé máy bay Việt Nam đi Pháp
mua vé máy bay đi hàn quốc giá rẻ
vé máy bay đi nhật giá bao nhiêu
lịch trình bay từ việt nam sang Anh
săn vé máy bay 0 đồng
vé máy bay đi San Francisco bao nhiêu tiền
thời gian bay từ Việt nam sang Los Angeles
combo du lịch nha trang
This is Google's amazing feature because through this, you can save your data from hackers because due to two-step verification, they can't get access to your Gmail account. You can use your account without any confusion. Dissertation writing service.
ReplyDeleteExcellent post. I was checking constantly this blog and I am impressed!
ReplyDeleteExtremely helpful info specifically the last part
I care for such info much. I was seeking this particular info for a very long time.
Thank you and good luck.
easeus todo backup crack
solveigmm video splitter crack
active file recovery crack
soft maker 2021 crack
razer game booster crack
Mua vé máy bay Aivivu, tham khảo
ReplyDeletevé máy bay đi Mỹ bao nhiêu
gia ve may bay ve vn
bay nhật bản việt nam
chuyến bay thương mại từ canada về việt nam
ReplyDeleteskycut plotter india
experts
mobileskinsoftware
silhouette cameo 4
mobileskinsoftware
ambition gifts
top sublimation
wemaketrips
This is my first post. I really like this blog. I'm reading this post from my I-Phone and it looks great! Also read this article Plastering Sand Bangalore
ReplyDeleteYou are so interesting! I do not believe I’ve read through something like that before. So wonderful to discover another person with unique thoughts on this subject. Really.. thank you for starting this up. This web site is something that is needed on the internet, someone with a bit of originality! If you are searching for Assignment Writing Services UK, We provide you the Best Assignment Help in the UK by expert academic writers. Our assignment helpers aim to provide 100% plagiarism free assignment help. For more services:-
ReplyDeleteMost Reliable Assignment Helpers
Treat Assignment Help in zombiepumpkins
best Essay Writing Services
Assignment Writing Help in UK
Online Assignment Help UK
Our research paper assignment help follow an absolutely constructive method of paper composition, which allows them to cover every vital aspect of research.
ReplyDeleteIf you are searching like best assignment writing service UK then you can get at studentsassignmethelp.co.uk. It has over 2000 expert writers who are the best in their field and have received a high number of positive feedback from UK students. If you employ a writer from SAH, you can contact them at any time via phone, email, or live chat. They are available 24 hours a day, 7 days a week to assist you. They often academic writing help, online exam help,research paper writing,essay writing, online exam help,and thesis writing,homework, research paper writing,case study, dissertation writing addition to assignment with 100% plagiarism free at a very low cost.
ReplyDeleteExcellent Post.
ReplyDeletewincracker.com
Inpixio Photo Clip Crack
ReplyDeleteConstitutional Law Assignment Help
Get Constitutional Law Assignment Help online from Best Assignment Experts because we have hired the best responsible experienced team who works 24*7 hours to submit work on time. Our professors, Constitutional Law Assignment Help specialists, and experts charge very little and cheap and offer great quality and 100 % customized assignments help. We submit assignments with theories.
Contact Us: +65-91753078
Very interesting VDO. Thanks for sharing. ร้านติดฟิล์มรถยนต์
ReplyDeleteIt’s not my first time to pay a quick visit this web
ReplyDeletesite, i am visiting this site dailly and obtain fastidious data from here
daily.
VMware Fusion Pro Crack
Power Archiver Crack
Corel Painter Crack
UMT Dongle Crack
SolveigMM Video Splitter Crack
cracksite.net
ReplyDeletePackers and Movers Chennai Give Safe and Reliable ***Household Shifting Services in Chennai with Reasonable ###Packers and Movers Price Quotation. We Provide Household Shifting, Office Relocation, ✔✔✔Local and Domestic Transportation Services, Affordable and Reliable Shifting Service Charges @ Packers And Movers Chennai
This site has particular software articles which emit an impression of being significant
ReplyDeleteand significant for you individual, able software installation.
This is the spot you can get help for any software installation, usage, and crack.
Folder Lock Crack
Virtual DJ Crack
Better File Rename Crack
BS.Player Pro Crack
InPixio Photo Focus Crack
"이용이유가생기는곳 먹튀검증 안전노리터 go"
ReplyDeleteWe provide expert Cyber Security Services by nurturing individuals to accessto on-going simulated campaigns that validate your skills.
ReplyDelete
ReplyDeleteThanks for this. I really like what you've posted here and wish you the best of luck with this blog! Also read this article.M sand Suppliers in bangalore
Thank you for sharing this nice information
ReplyDeleteLooking for Assignment Help choose Assignmenthelpaus.com for Case Study Help in Australia. Hire our experts and get most affordable price Assignment Writing Help. We deliver 100% original and well- research content. For more information visit us https://assignmenthelpaus.com/
Thank you for this informative post
ReplyDeleteDo you need Management Assignment Help from top experts? Don’t worry hire our experts and get most low price Assignment Writing Help in worldwide. We have team of professional experts. Our team of dedicated experts are available 24*7 for assist you. Visit us now
Thank you for sharing this useful blog
ReplyDeleteLooking for Assignment Help UAE from top dedicated experts? Choose QnA Assignment Help and get most reasonable price Assignment Writing service in UAE and worldwide. QnA Assignment Help is available 24*7 hours. For more information visit us now.
I am very satisfied of this website. I visit it daily. I read it daily. I like so much.
ReplyDeleteI like this website. I am very satisfied with it.
ReplyDeletepg slot wallet เว็บไซต์เกม สล็อต ฝาก-ถอน ทรูวอลเล็ตไม่มีอย่างน้อยใหม่ปัจจุบันในปี 2021นี้ pg slot ถูกปรับปรุง ประดิษฐ์กราฟฟิกความหลากหลายรายลักษณะของเกมมีเกมให้เล่นมากมาย
ReplyDeletepg auto slot มีเกมพนันให้เลือกกว่า 300 เกมไม่ซ้ำกันเล่นอย่างไรก็ไม่เบื่อ PG SLOT เล่นเกมสล็อตในระบบออนไลน์แบบใหม่ปัจจุบัน 2022ที่แจ็คพอตแตกง่ายแจกเครดิตฟรี 100 บาทคุ้มสุด
ReplyDeleteการเล่น pg slot สีชมพู ที่ถูกที่สุดนั้น อยู่ที่เว็บไซต์ที่ให้บริการสล็อตออนไลน์และมีการรับรองจากต่างประเทศ PG SLOT เช่น เว็บพนันออนไลน์
ReplyDeleteสล็อตแมชชีน (Slot machine) จึงเป็นนิยมอย่างมากงั้นหรอ? เดิมพันที่เล่นง่าย ไม่ต้องทำความเข้าใจเยอะ แค่หยอดเหรียญ pgslot และรอหมุนเท่านั้น
ReplyDeleteRacha Slot ออนไลน์ การเล่นเกมสล็อตเป็นการเสี่ยงโชคเพื่อรับรางวัล เมื่อชนะแล้วจะได้รับเงินรางวัลตามจำนวนเงินที่เดิมพัน PG SLOT
ReplyDeleteGlad to visit your blog. Thanks for great post that you share to us...
ReplyDeleteI am very satisfied with this website, I visit this website everyday and get lot of information.
ReplyDeleteI am thankful to the website's owner for sharing this amazing work. That information is fantastic and helpful. also, Visit my website to view the most recent article about
ReplyDeletemodern name plate designs We've discovered how to design morden house nameplate design 2023.
I am appreciative of the website's owner for sharing this fantastic work. That information is fantastic and helpful. Visit my website to view the most recent article about modern name plate designs We've learned how to design modern house nameplate design 2023 on my articles.
ReplyDeleteI completely agree with your thoughts here.
ReplyDelete