Questions about this topic? Sign up to ask in the talk tab.

Google 2-Factor Authentication Vulnerability

From NetSec
Revision as of 15:24, 28 October 2011 by User (Talk | contribs)

Jump to: navigation, search

This issue has been reported to Google, and thankfully, they said they would try to fix it.

This exploit is limited in that it is improbable to execute.

What you need

  • An Android mobile device
  • A victims application password for 2 factor authentication.
  • A victims account password.

Victim Requirements

c3el4.png The likelihood of this attack succeeding will increase exponentially by using Social Engineering tactics.
  • Have 2 factor authentication activated.
  • Have an application password for a program like Thunderbird that the attacker steals.
  • Have their Google Voice account set to receive texts from google to receive 2 factor backup codes.

Instructions

  1. Use the stolen application password to sign into the victims Google Voice account.
  2. Attempt to sign into their account via Webmail, it will prompt for a 2 factor code.
  3. Click the option you use when you dont have a code.
  4. Select the option to send a code to your text number.
  5. Use texted number to login to the account.
  6. Remove victims mobile device and add yours as the Google authenticator device.

You have now taken over an account that uses two factor authentication.

Credits

Credit for this release goes to Laurelai

RPU0j.png This is released as an educational howto. We are not responsible for damages via the use of this information.