Google's two-factor authentication bypassed
Google has fixed a vulnerability which could in theory have enabled attackers to compromise Google accounts protected by two-factor authentication.
There is, however, an intentional backdoor for applications which are not set up for two-factor authentication in the form of application specific passwords (ASP). If, for example, you want to use Thunderbird to download email from a Google account secured using two-factor authentication, you simply generate an ASP which is submitted by Thunderbird in place of the normal password.
This has the disadvantage that an attacker who intercepts the ASP then has access to email, calendar items and contacts without requiring the one-time password. Under normal circumstances, it should not be possible to permanently take over the user's Google account (for example by changing the main password) using an ASP.
quote: Full article - The H Security
The researchers reported their discovery to Google last July, but the vulnerability was only fixed at the end of last week.