Google's two-step verification, according to the company's
ad campaign, isn't merely a bear guarding your home. It's a snake pit behind the bear guarding your home.
Unfortunately, it turns out, application-specific passwords allow attackers to bounce right past the bear and to hop over the vipers.
According to Duo Security, attackers could - until a fix was issued last Thursday, that is - bypass Google accounts' two-step login verification, reset a user's master password, and gain full profile control, just by capturing a user's application-specific password (ASP).
Duo Security first spotted the ASP bug in July 2012, Adam Goodman said in a blog posting on Monday.
Google pushed out a fix that prevents these ASP-initiated hijackings last Thursday.
The bug's existence points to how challenging it can be to set up wide-scale, comprehensive deployment of strong authentication, Goodman writes.
To make two-step verification usable for all, and to glue it onto what was already a complicated, sprawling ecosystem, all without breaking any moving parts, Google engineers had to compromise in a few spots.
That's how ASPs came to be.
Read more: http://nakedsecurity.sophos.com/2013/02/28/google-patches-bug-that-allows-attackers-to-slip-past-two-factor-authentication/
