back to article Google squishes login-bypass bug that opened door to hijackers

Google has patched a flaw that allowed attackers to circumvent the web giant's two-factor login system and hijack victims' accounts. Researchers at Duo Security said anyone could bypass a Google account's two-step verification system, reset its master password and gain full control of the profile simply by capturing one of the …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Why aren't vendors going to client certs?

    I don't understand why folks like Google just don't start requiring the client side to have a cert, and forcing the link to be authenticated on both sides - similar to the way SSH works.

    Yes, you have to provide a drool-resistant mechanism to set everything up - but you could pretty easily have the app set up the client side cert at account creation time, and instruct the user to save their private key to a flash drive (or SD card for a phone).

  2. Anonymous Coward
    WTF?

    Did I read this right?

    "The vulnerability, originally flagged up to Google in July 2012, was patched last week, freeing Duo Security to go public with its discovery.".

    So basically Google took half a year to fix a rather nasty flaw in its authentication system. And although Google deemed the risk factor to be low I think one of the reasons it was low was because it didn't make it out in the open. Yet...

    But shouldn't Google out of all firms realize that there is no security through obscurity? The very moment this would have gotten out in the open then there'd be a serious problem, then what ?

  3. ratfox

    Never understood how these ASPs work

    Go there, press this button, copy this, paste it here. Now you can access this thing you want.

    To put it simply, I have no clue how this is used. Good thing that I don't need to.

  4. The_Regulator

    But Google has stamped out 99.7% of hijacks

    According to another article I read on ElReg.....yet this was happening for almost a year, really........

    1. Anonymous Coward
      Anonymous Coward

      Re: But Google has stamped out 99.7% of hijacks

      Doesn't mean anybody was actually using the security hole. Getting hold of these ASPs probably meant gaining access to the victim's computer in the first place, and then there were easier solutions.

  5. Jin

    2 is larger than 1. Is it "advanced"?

    Solutions based on the 2-factor authentication generally provide more or less higher security than 1-factor solution unless deployed stupidly, not the least because 2 is larger than 1. But it does means that it is advanced. The honour of being "advanced" should be given to our ancestors who found that 2 is larger than 1.

This topic is closed for new posts.

Other stories you might like