Google has addressed the issue after being notified by Duo Security researchers
Researchers from Duo Security have identified a way to circumvent Google’s two-factor authentication system and reset a user’s master password by abusing the victim’s application-specific password (ASP).Google requires users to create ASPs for applications that don’t support two-step verification, such as email clients, chat clients and calendar apps.
“If you create an ASP for use in (for example) an XMPP chat client, that same ASP can also be used to read your email over IMAP, or grab your calendar events with CalDAV,” Duo Security’s Adam Goodman explained.
“As it turns out, ASPs can do much, much more than simply access your email over IMAP. In fact, an ASP can be used to log into almost any of Google’s web properties and access privileged account interfaces, in a way that bypasses 2-step verification!” Goodman added.
Starting with some research made by Nikolay Elenkov, the experts were able to come up with a way to log into any Google property with a username, the ASP and a request made to android.clients.google.com/auth.
According to the experts, an attacker could have used the victim’s ASP to access the “account recovery options” page and reset the master password, or access the two-step verification settings page and disable the security feature altogether.
It’s worth noting that ASPs are generated by Google and users are not required to memorize them, so it’s not easy for cybercriminals to obtain them via phishing attacks. On the other hand, the passwords are often stored in plaintext in local files, which means that malware should have no problems retrieving the information.
The issue was reported to Google back in July 2012. On February 21, 2013, Google pushed a fix to prevent ASP-initiated sessions from accessing sensitive account interfaces.
Researchers say that enough harm could still be caused by an attacker who possesses the ASP, which is why they hope that Google will implement additional restrictions in the future.
The technical details of this vulnerability are available on Duo Security’s blog.