[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Security Problem with Google’s 2-Step Authentication

On 2012-07-30, at 07:41, Pablo Ximenes <pablo@xxxxxxxx> wrote:
> I'd like to share with you one of my findings that failed to get
> Google's Security Reward. Although Google doesn't consider it a
> security problem, some might find it at least amusing if not
> interesting.

>From the linked article, http://ximen.es/?p=653 -
> I found out they have a time window of 10 minutes in which any of the 20 OTP 
> passwords are valid. [...] I have suggested invalidating all the time window 
> (all the 20 OTPs) [when a user uses an OTP...]

Invalidating the entire window would make you unable to authenticate using OTP 
more than once every 10 minutes. In any case, I'm having a hard time imagining 
what sort of threat model which make this necessary -- if you can somehow 
predict a user's OTP code for some point in the future, you could go ahead and 
predict one that's even further in the future (outside the window of 
invalidated keys), and use it when that time arrives.

> or at least they could synchronize accounts.google.com’s watch with the 
> user’s at some point, like some banks do.

Current versions of Google Authenticator have an option to do exactly this. The 
10-minute window seems kind of wide; I'd imagine that it was introduced before 
the time sync option was available, for compatibility with devices that are on 
cell networks with bad time servers.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/