Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "Google 2-Factor Authentication Vulnerability"
From NetSec
(Created page with "= Google 2-Factor Authentication Vulnerability = This issue has been reported to Google, and thankfully, they said they would try to fix it. This exploit is limited in that it ...") |
(exploit still works) |
||
| (6 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | {{info|This issue has been reported to Google, and thankfully, they said they would attempt to fix it. Update: This exploit is still active!}} | |
| + | {{quote|This exploit is limited in that it is improbable to execute.|Laurelai}} | ||
| + | {{Warning|This is released for educational purposes only to demonstrate a [[Design Flaws|design flaw]]. We are in no way responsible or to be held liable for damages via the use of this information.}} | ||
| − | + | = What you need = | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
*An Android mobile device | *An Android mobile device | ||
| Line 11: | Line 9: | ||
*A victims account password. | *A victims account password. | ||
| − | + | = Victim Requirements = | |
{{Info|The likelihood of this attack succeeding will increase exponentially by using [[Social Engineering]] tactics.}} | {{Info|The likelihood of this attack succeeding will increase exponentially by using [[Social Engineering]] tactics.}} | ||
*Have 2 factor authentication activated. | *Have 2 factor authentication activated. | ||
| Line 17: | Line 15: | ||
*Have their Google Voice account set to receive texts from google to receive 2 factor backup codes. | *Have their Google Voice account set to receive texts from google to receive 2 factor backup codes. | ||
| − | + | = Instructions = | |
| − | + | ||
#Use the stolen application password to sign into the victims Google Voice account. | #Use the stolen application password to sign into the victims Google Voice account. | ||
#Attempt to sign into their account via Webmail, it will prompt for a 2 factor code. | #Attempt to sign into their account via Webmail, it will prompt for a 2 factor code. | ||
| Line 29: | Line 26: | ||
= Credits = | = Credits = | ||
| − | |||
Credit for this release goes to [http://twitter.com/#!/stuxnetsource Laurelai] | Credit for this release goes to [http://twitter.com/#!/stuxnetsource Laurelai] | ||
| − | {{ | + | |
| + | {{series | ||
| + | | Name = Google 2-Factor Authentication Vulnerability | ||
| + | | PartOf = Design Flaws | ||
| + | }} | ||
Latest revision as of 08:32, 29 May 2012
|
This issue has been reported to Google, and thankfully, they said they would attempt to fix it. Update: This exploit is still active! |
| Laurelai says |
|---|
| This exploit is limited in that it is improbable to execute. |
|
This is released for educational purposes only to demonstrate a design flaw. We are in no way responsible or to be held liable for damages via the use of this information. |
What you need
- An Android mobile device
- A victims application password for 2 factor authentication.
- A victims account password.
Victim Requirements
|
|
The likelihood of this attack succeeding will increase exponentially by using Social Engineering tactics. |
- Have 2 factor authentication activated.
- Have an application password for a program like Thunderbird that the attacker steals.
- Have their Google Voice account set to receive texts from google to receive 2 factor backup codes.
Instructions
- Use the stolen application password to sign into the victims Google Voice account.
- Attempt to sign into their account via Webmail, it will prompt for a 2 factor code.
- Click the option you use when you dont have a code.
- Select the option to send a code to your text number.
- Use texted number to login to the account.
- Remove victims mobile device and add yours as the Google authenticator device.
You have now taken over an account that uses two factor authentication.
Credits
Credit for this release goes to Laurelai
|
Google 2-Factor Authentication Vulnerability Visit the Design Flaws Portal for complete coverage.
|
