Google (News - Alert) has patched a flaw in its two-step authentication that would have allowed hackers to gain access to user accounts who were using it.
Google's two-step authentication works by sending text messages or phone calls to users who've signed up for the method to confirm their identities. An app can also be used to authenticate with Google. It's an optional method of logging in to Google that in theory adds an extra level of security in case a user's password is compromised.
For convenience, individuals can also choose application-specific passwords that allow them to access applications that require a Google login, such as an e-mail application on a smartphone or tablet, without having to go through the Google two-step login procedure.
The application-specific password feature is at the heart of the security vulnerability. These passwords are long and complex, being only meant to use once. "ASPs are complex strings of characters that are not designed to be written down or memorized," a Google spokesperson told NBC News.
The functionality is essentially a "one-time pad" – a form of encryption theoretically impossible to break, as long as it is implemented correctly.
A report by Duo Security has found that these passwords could be reused.
Achieving this in practice would be difficult, as the passwords cannot be accessed from the Google side, only revoked and almost impossible to locate on an actual device. The complexity of these applications would also make them difficult to guess using a dictionary attack.
Of course, there is not much of a defense if a user's primary password is easily guessable.
In any case, Google has made changes to its system that would prevent such an attack. Google said it had no knowledge of any attempted attacks, and is now requiring authentication for "sensitive" actions.
The application-specific passwords are now truly one-time only.
Edited by Braden Becker