Researchers Uncover Security Flaw in Google's Two-Factor Authentication
Application-specific passwords, it turned out, weren't actually application-specific.
Duo Security researchers recently found a significant flaw in Google's two-step verification system.
"According to DuoSecurity, Google requires that users create application specific passwords for each application that doesn’t support Google’s two-step login," writes Threatpost's Brian Donohue. "This requirement is generally imposed upon apps that don’t require web-based login, like email clients using IMAP, SMTP, chat clients that communicate via extensible messaging and presence protocol and calendar apps that sync via CalDAV."
"The problem was, those manual app-specific passwords you put in weren't actually app-specific," writes Gizmodo's Eric Limer. "Anyone could re-use any of those passwords to link a Google device (Android phone, Chromebook) to a Google account. From there, hackers could login to services with the device, strolling right on in to account settings without ever knowing the real password."
"According to the Duo Security researchers, Google fixed the flaw on Feb. 21, but the incident highlights the fact that Google's application-specific passwords don't provide granular control over account data," writes Computerworld's Lucian Constantin.