Of course, I took interest in how the two-step verification was designed and I discovered a couple of design issues. In addition I discovered a security flaw that qualified for Google's vulnerability reward program, so I engaged in a responsible disclosure process with Google. Now they've fixed the bug, my reward has been donated to charity, and I've received my 19 bytes of fame, so I guess it's time to blog about this. I'll focus on the security bug here, and blog about the design issues later. I need to do some investigation to see whether Google fixed any of them or not, as they reported that they were re-evaluating some of their design decisions.
If you're unfamiliar with how the two-step verification works, see Google's video below (borrowed from Getting started with 2-step verification).
The never ending cookie
After you've enabled two-step verification, you'll have to supply a verification code once you've entered your username and password. Note that you can select "Remember this computer for 30 days".
When clicking "Verify", the code would be posted back to Google, and the following response would set a cookie configured to live for 30 days in the browser. Here's the actual cookie used to demonstrate the security bug (I've truncated its value for readability, and other obvious reasons):
Set-Cookie: SMSV=ADHTe-...; Expires=Sat, 02-Apr-2011 14:03:26 GMT; Path=/accounts; Secure; HttpOnly
As you can see, it was set to expire on Saturday, April 2. Here's the note I sent to Google do describe the problem:
"Today" was August 6, so the cookie could definitely be used also after its expiration date. So what went wrong? The problem was that the cookie itself either:I took interest in the option to "remember" the two-step verification for 30 days. Naturally, I've been looking at the cookies used for this purpose, and noticed the cookie set when supplying a valid OTP:POST /accounts/SmsAuth?persistent=yes HTTP/1.1Set-Cookie: SMSV=ADHTe-...; Expires=Sat, 02-Apr-2011 14:03:26 GMT; Path=/accounts; Secure; HttpOnlyToday, I reused the above mentioned cookie, which was set to expire in april, four months ago. The cookie still works like a charm, I'm not required to provide a fresh OTP on login, as long as the cookie is set.
- Did not include its lifetime as part of its value, enabling a server side validation of its validity.
- It did include its lifetime, but it was not validated on the server.
The effect was that the lifetime of the cookie was controlled by the browser, and not server side, yielding an "eternal" cookie. This was not Google's intention, and they reported that they "moved quickly" to fix this.
What was the risk?
If we consider the threats that Google specifically mention on their blog, this was not a severe risk. In the case of password reuse across sites, this vulnerability does not reduce the usefulness of the two-step verification. An attacker who stole your password from another site would still need to obtain one of your verification codes (or a verification cookie) to be able to access your account.
The same goes for an attacker that has obtained your username and password through a phishing attack, she would still need to obtain a verification code to compromise your account.
This vulnerability let a (malicious) user circumvent the re-authentication mechanism in 2-step verification. After 30 days, the user must prove yet again that she possesses the mobile phone required to log in to the Google account, assuring that it's still the correct person who's logged in. Re-authentication could be circumvented since it was enforced by the browser. Now it is enforced on the server instead.
And how did Google react?
I have to say, the Google security team was very professional throughout the process. Their e-mails were polite and forthcoming — they were quite open about some of the design choices they'd made. Apparently there was one person assigned to my particular case, which made the follow ups more personal. Thanks to both Adam on the Google security team, and the 2-step verification team!
So, that was the story of my first vulnerability reward-winning bug. In a week or two I'll blog about some design issues that, in my opinion, might have a much larger impact on security.
I have a concern about 2 step verification. Only last week our company was hit by a phishing website attack that fooled our accountant into thinking he was logging into their bank, when in fact he was logging into a fake web site.
ReplyDeleteHow would 2 step verification stop this? In my mind, the phishing site would simply pass through the login info immediately to the real website, our accountant would get his verification code and enter that into the fake site, and the fake site would push that through to the real bank site as well... Am I missing something here?
Hi,
DeleteThanks for leaving a comment, your concern is highly relevant. I've been working with online banking security the last couple of years, so I'll share some insights.
As with other security measures, two-factor authentication is no silver bullet. Still, it's an important piece of the security puzzle for an online bank as it raises the bar for an attacker attempting to transfer money from an account. I gave a talk last year about some of the adjustments we did at the online bank I was working for — in response to some significant developments in trojan functionality. You might want to check it out, you'll find it under "Talks" but here's the direct link: http://www.slideshare.net/klingsen/110502-dnd-isacaisfonlinebankingtrojans
Trojan attacks are somewhat similar to phishing attacks in that they try to steal a user's password along with several verification codes, so the Trojan countermeasures are highly relevant also for phishing attacks.
As you point out, if the user gives away the password along with verification codes that's not particularly good for security. However, most banks will require additional codes to transfer actual money from the account — raising the bar for the attackers. Now, there are also other hurdles for an attacker before an attack is successfull and money is transfered. I can't go into specifics, but there are two main categories of security measures, you can try to prevent fraud from happening, or try to detect it in a timely manner. Banks do both.
Preventive measures are e.g. the verfication codes, which raises the bar for an attacker and requires user interaction. This gives the user a chance to get the feeling that "something funny is going on." If you look at my slides you'll see that we shared information about the transaction through SMS to the user — increasing the likelihood of the user detecting the attack.
One might argue that this is "detection", but I draw the line at an attempt to transfer money by the attacker. If the user detects the attack and refuses to give up verification codes, the attack has been prevented from the bank's point of view.
Now, the user might not detect the attack and willingly gives up verification codes. The result will be an attempt to transfer money, and fraud detection comes into play. Note that fraud attacks have existed since the very beginning of banking systems so the problem is far from new. Phishing and Trojan attacks are simply a "new" form of malicious transfers. Banks have been dealing with fraud for ages and have adapted to the new threat. It's worth noting that money is seldom transferred instantly, so there's a reasonable time window to detect the transfer and stop it.
I can't go into more specifics, but I hope I shed some light on what "makes up" the security of an online bank. Threats are constantly evolving and banks need to adapt their security measures accordingly. As always, you need layers of defense to survive on the Internet.
I hope everything turned out ok for your colleague!
Great Article
DeleteIEEE Projects on Information Security
Project Centers in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai
Google seems to have quietly removed the "Remember this computer for 30 days" option and replaced it with a "Don't ask for codes again on this computer" option that apparently never expires. It's been a lot more than 30 days since the last time I was asked for a verification code.
ReplyDeleteNo doubt Google made the change to make 2-step verification more attractive to the average user, but it is actually a disconcerting change to me. Now I need to be more careful about whether I check that box when logging into strange PCs. And I wonder what would happen if a hacker got a hold of my password and one of those cookies. Ideally Google would let me set the expiration for my account.
Hi Jacob and thanks for leaving a comment.
DeleteI see that they've changed how 2-step verification works and that the option is now "Trust this computer". You're right, if someone gets hold of your password, along with your cookies or a one time code, that probably means permanent access to your account.
As I mention in the blog post it seems Google focus primarily on phishing attacks. And for phishing attacks this is not a very problematic change unless the attackers are also able to phish a one time code and use it in near real time. For other types of attacks the change is not so beneficial, for example trojans stealing credentials.
I've been meaning for some time to write a post discussing the various approaches to authentication that we see from the big players on the Internet. I think I'll have to find some time soon, there's some interesting things going on out there!
I have the two step verification turned on and each time I sign in, I select the "don't ask for codes again from this computer" but this feature never works for me! I still get asked for codes when signing in EVERY time, it don't matter if I had signed in an hour or even a minute before (it even just happened when trying to publish this post even though I had previously been signed in on my computer!) It doesn't seem to "remember" my computer or any of my other devices (phone or iPad). Am I the only one on the planet with this issue? Can anyone shed some light? Thanks in advance....
ReplyDelete*doesn't matter .... sorry that was a typo, not poor English!
DeleteHi Kelly,
Deletefrom your description this seems to have something to do with your browser settings. Have you set the "delete cookies on exit" configuration option in your browser?
The two step verification process sets a cookie in your browser in order to "remember it", whenever you log in and this cookie is missing you'll be asked for a new code. You could try this from another browser and see if the problem persists.
As for the iPad, if you're using Safari in "private mode", I assume that could cause this behaviour.
Hope that helps!
I think Google should NOT default to the 'trust this computer for future logins'. In the case you would like to retain the 2 step feature, every single time you login you must deselect and It's requiring an additional step. To reset the security settings requires too much effort and not possible to remember what computers you have allowed and what you have not.
ReplyDeleteI agree: Google should NOT default to the 'trust this computer for future logins
Deleteray ban sunglasses
ReplyDeletemichael kors handbags
michael kors outlet
ugg boots
columbia sportswear
coach factory outlet
michael kors outlet
kd shoes
pandora charms
michael kors uk
chenlina20170421
20170518 leilei3915
ReplyDeletemont blanc pens
pandora charms
coach factory outlet
michael kors handbags
lacoste shirts
mlb jerseys wholesale
polo shirts
michael kors outlet clearance
cheap mlb jerseys
ugg boots
You can find lots of great articles on close topics at https://nerdymates.com/blog/article-review
ReplyDeleteI agree: Google should NOT default to the 'trust this computer for future logins
ReplyDeleteSend Flowers To Colombia
I learn from a good blog, your blog I have a great inspiration, thank you. Send Gifts To pakistan
ReplyDeleteI really enjoyed reading your article. I found this as an informative and interesting post, so i think it is very useful and knowledgeable. send gifts to pakistan from usa.
ReplyDeleteThanks for this article very helpful. thanks. Verifications IO
ReplyDeleteA VIN verification is an important part of registering your vehicle in California. Discover what type of transactions require VIN verifications and who is authorized to complete the verification. 슈어맨,토토사이트
ReplyDeleteI have read about this and know about it very much. I see this clip more know this makes me know more about it. gclub
ReplyDeleteBut it's not as easy as just calling up an employment verification company and passing the baton - there's still a lot you need to know 슈어맨
ReplyDeletesurveillancekart security system
ReplyDeletesurveillancekart cctv installation services
cp plus
Pestveda pest control services
dezigly
The feedgasm Latest News And Breaking News
quicksodes
latest news in hindi
I got what you mean , thanks for posting .Woh I am happy to find this website through google. Dominoqq
ReplyDelete
ReplyDeletehttps://www.rashed-kw.com/سباك-بالكويت/
https://www.rashed-kw.com/تسليك-مجاري-الكويت/
https://www.rashed-kw.com/
رقم فني صحي
To continue irritating application notices under control, you can incapacitate the notices. You can undoubtedly do this from the play store settings.
ReplyDeletehttps://giftcardprizes.com/google-play-gift-card-free-generator/
Thanks for your sharing. Hope you can contribute more quality posts to this page. Thank you!
ReplyDeleterun 3
This comment has been removed by the author.
ReplyDeletethanks for your sharing i like you post
ReplyDeleteThe authority App Store is the place you get all your applications and recreations for your gadget. ac Market is one such option App Store for Android clients where they can get practically all the applications and diversions that they need.
ReplyDeletehello!! Very interesting discussion glad that I came across such informative post. Keep up the good work friend. Glad to be part of your net community. cara main poker
ReplyDeleteI would like to thanks for sharing the high-value article with us and I hope you'll publish more article like this type of post.Career Mistakes based on your Zodiac Sign
ReplyDeleteStudents while completing their assignments might be required to avail Nursing Assignment Help, SWOT Analysis Help, Market Conditions Homework help, and comment on or Design New Product Assignment help. Alternately, students might not just only want online assignment help but might also want economics teaching help so as to better understand the subject. while seeking Biology assignment help online might be necessary to keep up with the course load, developing personal expertise and knowledge in project management assignments is also vital.
ReplyDeleteNetwork Security Final Year Project Ideas
ReplyDeleteProject Centers in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai
What a fantabulous post this has been. Never seen this kind of useful post. I am grateful to you and expect more number of posts like these. Thank you very much. 토토사이트
ReplyDeleteHaving a reasonable thought of the classification into which your blessing will fall, consequently, is the initial phase in picking the correct present for your planned beneficiary. blomster bamse
ReplyDeleteI am usually to blogging i really appreciate your posts. Your content has really peaks my interest. I’m going to bookmark your website and keep checking achievable information. fortnite v bucks generator
ReplyDeletelouboutin shoes
ReplyDeletemichael kors handbags
christian louboutin shoes
coach outlet stores
kd shoes
christian louboutin outlet
adidas flux
fenty puma
jordan shoes
yeezy 500 blush
Your blog is quite informative and creative at the same time. These are the two qualities especially help every content to become the most readable of all. However, these qualities are difficult to acquire which is the reason why students opt for assignment help services to get their queries solved within the time specified. My Assignment Services is widely preferred by students if they are looking for assignment Australia queries over the internet. We have more than 2000 professional experts who are available 24x7 to help you with all types of queries in giving you the assignment requirements and strictly adhering to the marking rubrics. My Assignment Services is a professional Australian assignment help service provider who has been expanding its services across the world. You can contact their experts by visiting their website at My Assignment Services if you come across any query related to any type of assignment and any subject.
ReplyDeleteThank you for taking the time to publish this information very useful! sbobet
ReplyDeletePretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info
ReplyDeletethings to do
When student purchases Persuasive Essay Services from our firm, we strive to ensure that their identities are concealed and their data is in proper storage and away from free sites. All students who seek to access Custom College Research Papers should contact our support team for assistance and purchase our services to attain better grades and learn writing from our authors.
ReplyDeleteThanks for this valuable information sharing, and i learned a lot and cleared my all doubts in this.. keep posting like this useful information.
ReplyDeletepost free classified ads in india
Thanks for picking out the time to discuss this, I feel great about it and love studying more on this topic. It is extremely helpful for me. Thanks for such a valuable help again. 먹튀
ReplyDeleteThe article was up to the point and described the information very effectively. Thanks to blog author for wonderful and informative post.
ReplyDeleteCCTV Service Pakistan
That is really nice to hear. thank you for the update and good luck. Buy Pinterest Followers
ReplyDeleteI am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
ReplyDeleteCyber Security Projects for Final Year
JavaScript Training in Chennai
Project Centers in Chennai
JavaScript Training in Chennai
Thanks for the post! Very useful!
ReplyDeletesizzling hot deluxe
Your feedback helps me a lot, A very meaningful event, I hope everything will go well
ReplyDeleteWhen it comes to your academic dreams and grades we try to give our best by supporting you in completing your college assignments.
ReplyDeleteOur administrative experts work dedicatedly and passionately to provide top quality essay writing help to the students. Meticulous paper structures,
subject matter relevance, free from grammatical errors are main characteristics that our highly experienced and talented writers endeavor for.
Still drowning in the worry to complete your college assignments?
Assignment helpers Online
The ultimate goal of descriptive essay help services is to provide Descriptive Essay Writing Services and descriptive essay services since descriptive essay writing help seekers lack time to complete their custom descriptive essay writing services.
ReplyDeleteThis service is very useful for us because through this, we can save our data from hackers and no one can open our documents and this is a great service. I am also using it and satisfied with its features. Master dissertation writing service.
ReplyDeleteAmong other courses, tourism writing services has become popular since students seek Tourism & Leisure Writing Services and tourism assignment writing services.
ReplyDeleteNursing subject is considered as a least field which requires academic assignment writing skills yet it demands significant amount of academic comprehensive works with short deadlines.
ReplyDeleteIt becomes a difficult task for students especially with nursing as it is a more practical subject than theory.
And if you are searching for a reliable site amidst so many swarming on the internet then Unique Submission assignment writing services is the one you have been looking for.
Get help for Nursing Assignments
Most of the students are fascinated with opting Law as a career. A good academic record leads to a good placement also. Unique Submission law assignment writing help services are here to take off the burden of multiple assignment writing topics from your shoulders. Here our law subject expert writers will ensure to get you peerless outcomes with their law assignments help on the comprehensive writing academic field.
ReplyDeleteLaw assignment writing help
Opting Operations management as a career has been a popular choice in management students. Unique Submission endeavors to yield best assignment on operation
ReplyDeletemanagement service to the students seeking to become operations manager. As completing academic assignments become tiresome for students they are in
continuous search for help.
Operations Assignment writing services
Let us revive your business with our custom mobile app development services.
ReplyDeleteWe are one among the best web design company in Chennai. Our objective is to deliver clients with trending solutions that add values to their webpages and applications. We are Professional Website Design Services and we have efficient team of experts who are keen to complete the project within specified period. Our HTML5 developers are up to date in latest designing tools and technologies to build interactive websites. If you are looking for web designing services in Chennai also you can hire web designer India and we are here to help you.
ReplyDeleteWith the use of Affordable Writing Services Online Students can get help for their Assignments. Always go for the Best Essay Writing Services from the company that offers Academic Essay Writing Services At the lowest cost.
ReplyDeletevé máy bay tết giá rẻ
ReplyDeletevé máy bay đi Mỹ hạng thương gia
vé máy bay Việt Nam đi Pháp
mua vé máy bay đi hàn quốc giá rẻ
vé máy bay đi nhật giá bao nhiêu
lịch trình bay từ việt nam sang Anh
săn vé máy bay 0 đồng
vé máy bay đi San Francisco bao nhiêu tiền
thời gian bay từ Việt nam sang Los Angeles
combo du lịch nha trang
This is Google's amazing feature because through this, you can save your data from hackers because due to two-step verification, they can't get access to your Gmail account. You can use your account without any confusion. Dissertation writing service.
ReplyDeleteExcellent post. I was checking constantly this blog and I am impressed!
ReplyDeleteExtremely helpful info specifically the last part
I care for such info much. I was seeking this particular info for a very long time.
Thank you and good luck.
easeus todo backup crack
solveigmm video splitter crack
active file recovery crack
soft maker 2021 crack
razer game booster crack
Great post! We are linking to this great article on our
ReplyDeletesite. Keep up the great writing.
final cut pro x crack
hma pro vpn crack
magix photostory deluxe crack
gstarcad crack
bb flash back pro build crack
inpixio photo focus pro crack