Google Dual Step Verification Exploit!

pneuma1985

Level 4
Thread author
Verified
Aug 30, 2015
189
Now I'm sure many have known about this for years, because it's been going on for at least a year and a half. Google's dual step verification is absolutely exploitable and has been exploited. Essentially every dual step verification through google should be sent to your smart-phone via sms with a six digit number ie:547215. I did alot of digging the spam servers are VOIP obviously one server is registered in Hollywood, FL the other is in Miami, FL. The VOIP seems to be registered to a carrier called BANDWIDTH.COM which is a well known VOIP. The numbers have a vast range (754)263-#### The ip seems to register at least 500 numbers and has been reported to google but google actually fixing it, well that remains to be seen.
Here is an example of someone else reporting the same issue: Google Groups
Originally it was reported they were using cookies to drive this exploit but that just isn't the case if you ask me. I've done alot of reading about exploiting google accounts and been told exactly how it's done from other hackers and that method google claims is the exploit is just not how it's done! I wanted to shine light on this due to the fact that there are alot of people who are just unaware of how unsafe dual step verification really is. We think its keeping our accounts safer but in fact it's easily hacked. I had this issue about a year and a half ago and I even talked to google about it on their help forums which I can't for the life of me find, but their way of fixing it was rubbish. Essentially there is no way to fix it once you've been exploited. The way I went about fixing it was to immediately change my pw to something insane and make sure the dual step verification I'm getting is coming from a google server. Which seems to fix it but I realized it just happened to me again which is why I'm posting this thread. I saw the new thread @BoraMurdar posted about the new chrome material design. I downloaded it and added my extensions and used lastpass to sign in. No issues and yes I had the legit lastpass extension not the fake malware google has allowed on their chrome store for months! And all of the sudden I receive a fake verification so I'm going to switch to authy. I've only been doing it with sms b/c it was easier. I just wanted to bring awareness to this situation with google's dual step being completely exploited.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
I downloaded it and added my extensions and used lastpass to sign in. No issues and yes I had the legit lastpass extension not the fake malware google has allowed on their chrome store for months! And all of the sudden I receive a fake verification so I'm going to switch to authy.
Could you elaborate further;
Do you have Sync for Chrome set-up, ie. Do you login into Chrome using your Google Account?
Do you have 2FA enabled on your Google Account?
If verification failed, how did you gain access to your Google account?
What is "fake malware google" exactly?
 
  • Like
Reactions: pneuma1985

pneuma1985

Level 4
Thread author
Verified
Aug 30, 2015
189
Could you elaborate further;
Do you have Sync for Chrome set-up, ie. Do you login into Chrome using your Google Account?
Do you have 2FA enabled on your Google Account?
If verification failed, how did you gain access to your Google account?
What is "fake malware google" exactly?
2FA yes, do I login using my google account yes one of them.

The fake malware google has allowed on their store is a lastpass extension about 15 or 16 people have installed it last i saw. I just checked, it was removed as far as I can tell, but it was up last week or the week before when I reinstalled chrome on my wife's laptop. It was not the legit lastpass extension. That's what I was referring to there.

Yes I have every security option chrome has to offer enabled Including sync password and I never sync anything except bookmarks and I didn't do that this time b/c I just wanted to see the material design.
Verification doesn't fail essentially they are just pwning your gmail/google account and getting around your dual step verification using their voip. The exploit being used wasn't shared with me only explained. So I cant tell you exactly what exploit they're using "he" wouldn't say. But he assures me the exploit still exists and is being used on a daily basis to attack and gain access to google accounts. Oh and forgot to mention they aren't using a phishing attack as I thought originally! I think I was attacked originally using a googledrive exploit that google was made aware of last year and fixed, but I can't say for sure since my source says the exploit is still being used.
Now I was told this original exploit was used to access your google account and purchase things on the google playstore and or gain access to your google wallet.-Forgot the google wallet part:p That's what its original purpose was, but that was a year or so ago I imagine they have come up with new uses for the exploit I'm not exactly sure just bringing notice to it. I'm sure most of you are aware dual step actually is very exploitable in most cases. There are even specific pen tools to do just that. Recently cyberpunk posted an article about it on n0where.net. And those guys are amazing at pentesting just about everything and they were at defcon and blackhat. I'm sure some of you are aware of them. A bit of googling will show you their dual step verification attack.
I'd honestly like to know if my account is pwnd forever due to this attack that happened over a year ago or if there is anyway around this.
I have about 50 gmail accounts only one that matters to me which is associated with my google developer account. Which surprisingly is the one they went after none of my other accounts have ever been attacked. And all my secondary accounts use lastpass generated passwords and I honestly don't care about them and nothing is tied to the accounts at all nothing absolutely nothing. My main account I rarely sign into b/c of this to be honest and it has an insanely long password using characters/symbols/numbers. I only use my phone for it anyway. The only time I sign into that account is when I update any of my apps on the playstore or reinstall the rom I run as a daily... I believe my method is the only way to take care of it, but I could be wrong because what google told me to do like I said was nonsense and didn't work at all.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top