SlideShare a Scribd company logo

Google-Jacking: A Review of Google 2-Factor Authentication

nCircle - a Tripwire Company
nCircle - a Tripwire Company

nCircle's Craig Young presented his research on the Google 2-step verification system at BSides San Francisco 2013. More information: http://community.ncircle.com/t5/VERT-Security-Research-Blog/Google-Jacking-A-Review-of-Google-s-2-Step-Verification-BSides/ba-p/7876

TechnologyBusiness
1 of 24
Download to read offline
A Review of Google 2-Factor Authentication Google-Jacking CraigYoung Security B Sides San Francisco, USA 2013
Look Who’sTalking
• Defining 2-Factor Authentication (2FA) • Defining 2-Step Verification (2SV) • diff -Burp 2FA 2SV # Compare & Contrast • Attacking Application-Specific Passwords • DEMO: Do androids dream of übertokens? • TODO: Making 2SV Better Talk Overview
Define: 2-Factor Authentication
• 2SV is Google’s 2FA branding • Phone becomes the ‘something you have’ - STEP 1 – Login to with account password - STEP 2 – Enter code from phone • Application-Specific Passwords (ASPs) - Used for 3rd party & legacy support - 16 lowercase letters - Limited by application (in theory anyway) man 2SV
Authentication Credentials 2FA 2SV Something you have + Something you know ♦ ♦ Something you know ♦ Something you have ♦ $ diff –Burp 2FA 2SV Bottom Line? 2FA enhances security by compromising convenience 2SV enhances security but only when it is convenient
• Are ASPs the Achilles heal of 2SV? 1. ASPs are all powerful 2. ASP revocation is broken 3. ASPs increase the risk of token attacks 4. Google recommends saving ASPs Attacking Application-Specific Passwords
Google attempts to restrict browser-based ASP use: Android browser auto sign-in bypasses this restriction: ASPs Provide Full Account Access
HOWTO: punting the intruder Recovery MeasureTested Result Revoke application-specific passwords No effect on logged in intruder ‘Sign out all other sessions’ from Gmail No effect on logged in intruder Revoke ‘Android Login Service’ Androids must re-authenticate Change account password Androids must re-authenticate Recommended Procedure: STEP 1 : Revoke allASPs STEP 2: Change account password STEP 3:Verify account settings
• Pay attention to permissions! • Apps with root can directly access acounts.db • ASPs are backdoors by design AndroidApps Can Generate ASPs
• Privacy advisors don’t look at token related permissions • Far too many apps have the ability to request tokens There’s An App ForThat
Auditing the ASP Auditing ASPs added and removed in the same activity period are not reported!
Check “Remember Password”
• Saving passwords gives attackers an edge - OS X Keychain can be dumped • Pidgin (chat) doesn’t bother to use crypto - Most applications provide limited protection What could go wrong?
DEMO!
• Ideal Solution: - ASPs are no longer part of 2SV - Use account password + time-based code • Quick Fix: - Force authentication when generating ASPs - Allow users to disable ASP creation TODO: Ditch ASPs
• Ideal Solution: - Tokens should be revoked along with the ASP - Requires tokens & ASPs to be related • Quick Fix: - Treat ASP removal like a password change - All sessions are forced to authenticate again TODO: Fix ASP Revocation
NO MORE ANDROID LOGIN WITH ASP! • Explicit ASP Model: - Specify allowed services for an ASP - Limits abuse of compromised ASPs • Implicit ASP Model: - Restrict the ASP to the 1st application using it TODO: Make ASPs Application Specific
• Require a password to enable auto sign-in • Don’t allow auto sign-in for account settings • Allow disabling auto sign-in at an account level TODO: Lock Down Auto Sign-In
• Audit how and when an ASP is used • ‘Access type: Mobile’ is too vague • ASP name in the activity screen would help TODO: ASP Auditing
1. Android is a logged in browser session • Use caution when sharing your device • Consider unlinking your Google account when traveling • Watch app permissions closely (guard your tokens) • Use a strong password (Lock screen widgets FTW) 2. Don’t save ASPs without encryption 3. Monitor ASPs & change your passwords How to ProtectYourself Android 4.2 Lock Screen DialerWidget
Concluding Remarks • 2SV is vulnerable-by-design • 2SV increases risk from token-based attacks • Android + 2SV reduces security • ASPs are a bad idea - Password + OTP code makes security in 1-step - Let users decide whether ASPs are allowed
1. 11/26/12-11/30/12 - Multiple 2SV/ASP issues reported to Google 2. 12/5/12 – Confirmation of reported behavior as known issues 3. 1/11/13 – Google notified of BSides SF CFP submission 4. 2/18/13 – Account Activity Logic Error Reported to Google 5. 2/22/13 – Fix details received (Re-auth requirement implemented) 6. 2/24/13 – BSides presentation 7. 2/25/13 – ASP revocation fix begins to roll out DisclosureTimeline
For more information about enterprise risk management or Google 2-step verification: • Visit nCircle RSA booth 1023 • Check out the nCircleVERT blog: http://vert.ncircle.com • Follow @craigtweets Questions?

Recommended

Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android AapplicationsRoshan Thomas
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_securityHassan El Hadary
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By NirmalNIRMAL RAJ
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
You installed what Thierry Sans
You installed what Thierry SansYou installed what Thierry Sans
You installed what Thierry SansOWASP-Qatar Chapter
 
Save Time & Be More Creative With Content Ideas
Save Time & Be More Creative With Content IdeasSave Time & Be More Creative With Content Ideas
Save Time & Be More Creative With Content IdeasAlice Seba
 
ESAPI
ESAPIESAPI
ESAPIn|u - The Open Security Community
 

Recommended

Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android AapplicationsRoshan Thomas
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_securityHassan El Hadary
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By NirmalNIRMAL RAJ
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
You installed what Thierry Sans
You installed what Thierry SansYou installed what Thierry Sans
You installed what Thierry SansOWASP-Qatar Chapter
 
Save Time & Be More Creative With Content Ideas
Save Time & Be More Creative With Content IdeasSave Time & Be More Creative With Content Ideas
Save Time & Be More Creative With Content IdeasAlice Seba
 
ESAPI
ESAPIESAPI
ESAPIn|u - The Open Security Community
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016IMMUNIO
 
Intro to IronWASP
Intro to IronWASPIntro to IronWASP
Intro to IronWASPn|u - The Open Security Community
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 
Enough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornEnough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornSafeDK
 
Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshopAbhinav Sejpal
 
Learnings from Hybrid App Testing Jijesh Mohan
Learnings from Hybrid App Testing Jijesh MohanLearnings from Hybrid App Testing Jijesh Mohan
Learnings from Hybrid App Testing Jijesh MohanvodQA
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile DayPro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile Daybersoriano
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Ivo Jansch
 
GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinIMMUNIO
 
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)Davide Cioccia
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile appskunwaratul hax0r
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Building mobile back ends with windows azure mobile services
Building mobile back ends with windows azure mobile servicesBuilding mobile back ends with windows azure mobile services
Building mobile back ends with windows azure mobile servicesAidan Casey
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
128-ch4.pptx
128-ch4.pptx128-ch4.pptx
128-ch4.pptxSankalpKabra
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Cloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For OperationsCloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For OperationsVMware Tanzu
 

More Related Content

What's hot

State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016IMMUNIO
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 
Enough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornEnough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornSafeDK
 
Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshopAbhinav Sejpal
 
Learnings from Hybrid App Testing Jijesh Mohan
Learnings from Hybrid App Testing Jijesh MohanLearnings from Hybrid App Testing Jijesh Mohan
Learnings from Hybrid App Testing Jijesh MohanvodQA
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile DayPro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile Daybersoriano
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Ivo Jansch
 
GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinIMMUNIO
 

What's hot (11)

State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016
 
Intro to IronWASP
Intro to IronWASPIntro to IronWASP
Intro to IronWASP
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
Enough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is BornEnough with the Mobile SDK Mess: A New Technology Is Born
Enough with the Mobile SDK Mess: A New Technology Is Born
 
Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshop
 
Learnings from Hybrid App Testing Jijesh Mohan
Learnings from Hybrid App Testing Jijesh MohanLearnings from Hybrid App Testing Jijesh Mohan
Learnings from Hybrid App Testing Jijesh Mohan
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
 
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile DayPro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
Pro Mobile web Apps with Phonegap 3.X - Adobe Mobile Day
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)
 
GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from within
 

Similar to Google-Jacking: A Review of Google 2-Factor Authentication

BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)Davide Cioccia
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Building mobile back ends with windows azure mobile services
Building mobile back ends with windows azure mobile servicesBuilding mobile back ends with windows azure mobile services
Building mobile back ends with windows azure mobile servicesAidan Casey
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Cloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For OperationsCloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For OperationsVMware Tanzu
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidSam Bowne
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...Area41
 
A Walk through SSO
A Walk through SSOA Walk through SSO
A Walk through SSOWSO2
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 

Similar to Google-Jacking: A Review of Google 2-Factor Authentication (20)

BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile apps
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Building mobile back ends with windows azure mobile services
Building mobile back ends with windows azure mobile servicesBuilding mobile back ends with windows azure mobile services
Building mobile back ends with windows azure mobile services
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
128-ch4.pptx
128-ch4.pptx128-ch4.pptx
128-ch4.pptx
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Cloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For OperationsCloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For Operations
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
 
Sql securitytesting
Sql securitytestingSql securitytesting
Sql securitytesting
 
Sso walk-through
Sso walk-throughSso walk-through
Sso walk-through
 
A Walk through SSO
A Walk through SSOA Walk through SSO
A Walk through SSO
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 

More from nCircle - a Tripwire Company

2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey 2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey nCircle - a Tripwire Company
 
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionApplying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionnCircle - a Tripwire Company
 

More from nCircle - a Tripwire Company (9)

Computer Forensics Bootcamp
Computer Forensics BootcampComputer Forensics Bootcamp
Computer Forensics Bootcamp
 
Password War Games Webinar
Password War Games Webinar Password War Games Webinar
Password War Games Webinar
 
Continuous Monitoring 2.0
Continuous Monitoring 2.0Continuous Monitoring 2.0
Continuous Monitoring 2.0
 
2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey 2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey
 
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionApplying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
 
Compliance what does security have to do with it
Compliance what does security have to do with it Compliance what does security have to do with it
Compliance what does security have to do with it
 
Security on a budget
Security on a budget Security on a budget
Security on a budget
 
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
 
Real world security webinar (v2012-05-30)
Real world security webinar (v2012-05-30)Real world security webinar (v2012-05-30)
Real world security webinar (v2012-05-30)
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Google-Jacking: A Review of Google 2-Factor Authentication

  • 1. A Review of Google 2-Factor Authentication Google-Jacking CraigYoung Security B Sides San Francisco, USA 2013
  • 3. • Defining 2-Factor Authentication (2FA) • Defining 2-Step Verification (2SV) • diff -Burp 2FA 2SV # Compare & Contrast • Attacking Application-Specific Passwords • DEMO: Do androids dream of übertokens? • TODO: Making 2SV Better Talk Overview
  • 5. • 2SV is Google’s 2FA branding • Phone becomes the ‘something you have’ - STEP 1 – Login to with account password - STEP 2 – Enter code from phone • Application-Specific Passwords (ASPs) - Used for 3rd party & legacy support - 16 lowercase letters - Limited by application (in theory anyway) man 2SV
  • 6. Authentication Credentials 2FA 2SV Something you have + Something you know ♦ ♦ Something you know ♦ Something you have ♦ $ diff –Burp 2FA 2SV Bottom Line? 2FA enhances security by compromising convenience 2SV enhances security but only when it is convenient
  • 7. • Are ASPs the Achilles heal of 2SV? 1. ASPs are all powerful 2. ASP revocation is broken 3. ASPs increase the risk of token attacks 4. Google recommends saving ASPs Attacking Application-Specific Passwords
  • 8. Google attempts to restrict browser-based ASP use: Android browser auto sign-in bypasses this restriction: ASPs Provide Full Account Access
  • 9. HOWTO: punting the intruder Recovery MeasureTested Result Revoke application-specific passwords No effect on logged in intruder ‘Sign out all other sessions’ from Gmail No effect on logged in intruder Revoke ‘Android Login Service’ Androids must re-authenticate Change account password Androids must re-authenticate Recommended Procedure: STEP 1 : Revoke allASPs STEP 2: Change account password STEP 3:Verify account settings
  • 10. • Pay attention to permissions! • Apps with root can directly access acounts.db • ASPs are backdoors by design AndroidApps Can Generate ASPs
  • 11. • Privacy advisors don’t look at token related permissions • Far too many apps have the ability to request tokens There’s An App ForThat
  • 12. Auditing the ASP Auditing ASPs added and removed in the same activity period are not reported!
  • 14. • Saving passwords gives attackers an edge - OS X Keychain can be dumped • Pidgin (chat) doesn’t bother to use crypto - Most applications provide limited protection What could go wrong?
  • 15. DEMO!
  • 16. • Ideal Solution: - ASPs are no longer part of 2SV - Use account password + time-based code • Quick Fix: - Force authentication when generating ASPs - Allow users to disable ASP creation TODO: Ditch ASPs
  • 17. • Ideal Solution: - Tokens should be revoked along with the ASP - Requires tokens & ASPs to be related • Quick Fix: - Treat ASP removal like a password change - All sessions are forced to authenticate again TODO: Fix ASP Revocation
  • 18. NO MORE ANDROID LOGIN WITH ASP! • Explicit ASP Model: - Specify allowed services for an ASP - Limits abuse of compromised ASPs • Implicit ASP Model: - Restrict the ASP to the 1st application using it TODO: Make ASPs Application Specific
  • 19. • Require a password to enable auto sign-in • Don’t allow auto sign-in for account settings • Allow disabling auto sign-in at an account level TODO: Lock Down Auto Sign-In
  • 20. • Audit how and when an ASP is used • ‘Access type: Mobile’ is too vague • ASP name in the activity screen would help TODO: ASP Auditing
  • 21. 1. Android is a logged in browser session • Use caution when sharing your device • Consider unlinking your Google account when traveling • Watch app permissions closely (guard your tokens) • Use a strong password (Lock screen widgets FTW) 2. Don’t save ASPs without encryption 3. Monitor ASPs & change your passwords How to ProtectYourself Android 4.2 Lock Screen DialerWidget
  • 22. Concluding Remarks • 2SV is vulnerable-by-design • 2SV increases risk from token-based attacks • Android + 2SV reduces security • ASPs are a bad idea - Password + OTP code makes security in 1-step - Let users decide whether ASPs are allowed
  • 23. 1. 11/26/12-11/30/12 - Multiple 2SV/ASP issues reported to Google 2. 12/5/12 – Confirmation of reported behavior as known issues 3. 1/11/13 – Google notified of BSides SF CFP submission 4. 2/18/13 – Account Activity Logic Error Reported to Google 5. 2/22/13 – Fix details received (Re-auth requirement implemented) 6. 2/24/13 – BSides presentation 7. 2/25/13 – ASP revocation fix begins to roll out DisclosureTimeline
  • 24. For more information about enterprise risk management or Google 2-step verification: • Visit nCircle RSA booth 1023 • Check out the nCircleVERT blog: http://vert.ncircle.com • Follow @craigtweets Questions?