07/08/2012

Google TFA Security Issue

The following note describes a (serious) security vulnerability with Google accounts two-factor authentication, which I believe leads to full account access. I have raised this with Google, and it is a 'Known Issue' and no action is being taken, and they have no constraints on publication. I understand their security versus usability tradeoff, so this is mostly an exercise in full disclosure. See also the Honorable Mention, July - September 2012 section of the Security Hall of Fame.

UPDATED 2013-02-25

The same issue has been discovered and blogged about by Duo Security researcher Adam Goodman - Bypassing Google’s Two-Factor Authentication and Hacker News discussion.

Issue

It is possible to bypass and disable two-factor authentication and re-enable it with a different Android device and phone number without ever knowing the account password or having access to an authorised authenticator or phone number.

Discovery

I enabled two-factor authentication or two-step verification [1] on my Google account last year, using an Android phone connected to an Orange PAYG SIM to generate the validation codes. In the process of moving flat, I lost this phone and also mislaid my printed set of backup codes. This meant that I was unable to authenticate myself to any of the Google account services over HTTP/HTTPS, as after accepting my password they all required the extra TFA code. These included the account and profile settings page, Google+, Blogger and other Google web properties such as YouTube.

In fact, the only Google services I could access were those for which I had an application-specific sixteen character password [2] already generated, and it was not possible to generate any further such passwords. Additionally, these passwords are not sufficient to log into any of the Google web sites, and attempts using them are rejected. The only approved way to disable TFA and regain access to Google sites was to go through the account recovery process [3] which requires detailed knowledge of the history of the account. Even as the owner of the account, I was unable to provide enough correct answers to satisfy Google support and regain access although I tried several times.

Using the vulnerability below I discovered that I was able to bypass the normal restrictions and re-configure the account security settings to give me access to my account again, and register my new phone and device instead.

Requirements

The following are required to gain access to a two-factor authentication protected account. Note that the main password is not needed, nor is access to any of the configured authentication devices or phone numbers.

  • Any application specific password for the Google account (This can usually be obtained by examining the configuration files for an application using the password, or looking in the 'Keychain' on OSX or other operating system equivalent)
  • Android 3.2.2 device (As tested, other versions may also work)

Process

The following process will enable full access to, and control of any Google account protected by two-factor authentication. I have tested this using my own Google account.

  • Add the Google account to the Android device, giving the application-specific password as the credential
  • Ensure 'Google automatic sign in' is enabled for the Android browser
  • Access Google's homepage using the browser
  • Click on 'account settings' or other link which requires authentication with Google
  • The browser will automatically authenticate the account you will be logged in as the chosen account
  • It is now possible to change all two-factor authentication settings, either disabling it completely or changing the configured device and phone numbers used to generate codes

Conclusion

This is a serious flaw, since users assume that their accounts cannot be compromised unless an attacker obtains the device used for authentication, or gains control of their authorised phone number, neither of which is required for this attack.

It is possible to log into an account protected by two-factor or two-step authentication without ever invoking this process or having access to the authorised device or phone. This bypasses all protections that are assumed to be provided by the service, allowing an attacker in possession of an application specific password to gain complete control over a two-factor protected account which the user assumes is safe.

References

[1],[2],[3]