- Aug 30, 2015
- 189
Now I'm sure many have known about this for years, because it's been going on for at least a year and a half. Google's dual step verification is absolutely exploitable and has been exploited. Essentially every dual step verification through google should be sent to your smart-phone via sms with a six digit number ie:547215. I did alot of digging the spam servers are VOIP obviously one server is registered in Hollywood, FL the other is in Miami, FL. The VOIP seems to be registered to a carrier called BANDWIDTH.COM which is a well known VOIP. The numbers have a vast range (754)263-#### The ip seems to register at least 500 numbers and has been reported to google but google actually fixing it, well that remains to be seen.
Here is an example of someone else reporting the same issue: Google Groups
Originally it was reported they were using cookies to drive this exploit but that just isn't the case if you ask me. I've done alot of reading about exploiting google accounts and been told exactly how it's done from other hackers and that method google claims is the exploit is just not how it's done! I wanted to shine light on this due to the fact that there are alot of people who are just unaware of how unsafe dual step verification really is. We think its keeping our accounts safer but in fact it's easily hacked. I had this issue about a year and a half ago and I even talked to google about it on their help forums which I can't for the life of me find, but their way of fixing it was rubbish. Essentially there is no way to fix it once you've been exploited. The way I went about fixing it was to immediately change my pw to something insane and make sure the dual step verification I'm getting is coming from a google server. Which seems to fix it but I realized it just happened to me again which is why I'm posting this thread. I saw the new thread @BoraMurdar posted about the new chrome material design. I downloaded it and added my extensions and used lastpass to sign in. No issues and yes I had the legit lastpass extension not the fake malware google has allowed on their chrome store for months! And all of the sudden I receive a fake verification so I'm going to switch to authy. I've only been doing it with sms b/c it was easier. I just wanted to bring awareness to this situation with google's dual step being completely exploited.
Here is an example of someone else reporting the same issue: Google Groups
Originally it was reported they were using cookies to drive this exploit but that just isn't the case if you ask me. I've done alot of reading about exploiting google accounts and been told exactly how it's done from other hackers and that method google claims is the exploit is just not how it's done! I wanted to shine light on this due to the fact that there are alot of people who are just unaware of how unsafe dual step verification really is. We think its keeping our accounts safer but in fact it's easily hacked. I had this issue about a year and a half ago and I even talked to google about it on their help forums which I can't for the life of me find, but their way of fixing it was rubbish. Essentially there is no way to fix it once you've been exploited. The way I went about fixing it was to immediately change my pw to something insane and make sure the dual step verification I'm getting is coming from a google server. Which seems to fix it but I realized it just happened to me again which is why I'm posting this thread. I saw the new thread @BoraMurdar posted about the new chrome material design. I downloaded it and added my extensions and used lastpass to sign in. No issues and yes I had the legit lastpass extension not the fake malware google has allowed on their chrome store for months! And all of the sudden I receive a fake verification so I'm going to switch to authy. I've only been doing it with sms b/c it was easier. I just wanted to bring awareness to this situation with google's dual step being completely exploited.