dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
397
share rss forum feed


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

1 edit

Google's two-factor authentication bypassed

quote:
Google has fixed a vulnerability which could in theory have enabled attackers to compromise Google accounts protected by two-factor authentication.
quote:
There is, however, an intentional backdoor for applications which are not set up for two-factor authentication in the form of application specific passwords (ASP). If, for example, you want to use Thunderbird to download email from a Google account secured using two-factor authentication, you simply generate an ASP which is submitted by Thunderbird in place of the normal password.

This has the disadvantage that an attacker who intercepts the ASP then has access to email, calendar items and contacts without requiring the one-time password. Under normal circumstances, it should not be possible to permanently take over the user's Google account (for example by changing the main password) using an ASP.
quote:
The researchers reported their discovery to Google last July, but the vulnerability was only fixed at the end of last week.
Full article - The H Security