![]() ![]() Then you use that ASP in place of your actual password. Generally, once you turn on 2-step verification, Google asks you to create a separate Application-Specific Password for each application you use (hence “Application-Specific”) that doesn’t support logins using 2-step verification. ![]() Here’s what we found: Application-Specific Passwords We communicated our findings to Google’s security team, and recently heard back from them that they had implemented some changes to mitigate the most serious of the threats we’d uncovered. Some months ago, we found a way to (ab)use ASPs to gain full control over Google accounts, completely circumventing Google’s 2-step verification process. In particular, with 2-step verification came a notion of “Application-Specific Passwords” (ASPs). To make 2-step verification usable for all of their customers (and to bootstrap it into their rather expansive ecosystem without breaking everything), Google’s engineers had to make a few compromises. Google’s 2-step verification makes for an interesting customer story in some of the challenges that go with such a wide-scale, comprehensive deployment of strong authentication. (With all due respect to Google's "Good to Know" ad campaign) Abusing Google's (not-so-) Application-Specific Passwords TL DR - An attacker can bypass Google's two-step login verification, reset a user's master password, and otherwise gain full account control, simply by capturing a user's application-specific password (ASP). Duo Labs FebruAdam Goodman Bypassing Google’s Two-Factor Authentication ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |