"To make 2-step verification usable for all of their customers (and to bootstrap it into their rather expansive ecosystem without breaking everything), Google’s engineers had to make a few compromises. In particular, with 2-step verification came a notion of 'Application-Specific Passwords' (ASPs)," explains Adam Goodman.
The user is required to create and use a separate ASP for every application that doesn't support 2-step verification logins - Adium, Apple Mail, Thunderbird, iCal, and so on.
But the problem with ASP is that, despite its name, it doesn't actually limit the users' access to only certain data or services in their accounts. "In fact, an ASP can be used to log into almost any of Google’s web properties and access privileged account interfaces, in a way that bypasses 2-step verification," the researchers discovered.
Getting one's hands on a user ASP was not that hard, they say.
By analyzing the web auto-login mechanism on Android, they come up with a way to exploit it without using an Android device. They set up an intercepting proxy with a custom CA certificate to watch the network traffic between an Android emulator instance and Google’s servers, then analyzed the request sent when adding a Google account to the emulator (using an ASP).
They discovered that the EncryptedPasswd parameter in the request is the ASP (encrypted), and that by replacing it with the the (unencrypted) Passwd parameter from the ClientLogin API documentation set to their ASP would returned a valid token that seemed to give them full account access.
Sending out two more requests - first with the token and then with an ASP - they succeeded in getting back an URL that, when opened in an un-authenticated web browser after making a previous API call, allowed them to get automatically logged into the account settings page.
"So: given nothing but a username, an ASP, and a single request to https://android.clients.google.com/auth, we can log into any Google web property without any login prompt (or 2-step verification)," they concluded.
Once in, the attacker can modify the password recovery email address, reset of the victim’s master password, or turn off the 2-step authentication option.
Understanding the severity of the flaw, the researchers have shared their findings with Google, and the company has pushed out a fix for the flaw last week.
According to the researchers, Google is now maintaining some per-session state to identify how a user authenticates, and the account-settings portal allows access to security settings only if he logged in by first entering the username and password, then supplying the second authentication factor.
Now, even if an attacker manages to get his hands on a user's ASP (via malware, or MitM attacks), the harm he can exact is limited, and the control of the account would still ultimately be in the hands of the legitimate user, who can move to revoke the compromised ASP.