Dating double ebook password removed online dating site for sale

In recent versions of Android (and Chrome OS), Google has included, in their browser, an “auto-login” mechanism for Google accounts.After you’ve linked your device to a Google account, the browser will let you use your device’s existing authorization to skip Google’s web-based sign-on prompts.

Want to learn more about two-factor authentication?

Download our guide to evaluating two-factor authentication On his excellent Android Explorations blog, Nikolay Elenkov documented a rather in-depth investigation into the web auto-login mechanism on Android.

To do this, we set up an an intercepting proxy with a custom CA certificate to watch the network traffic between an Android emulator instance and Google’s servers.

When adding a Google account to the emulator (using an ASP), we saw the following request: While the URL and some of the parameters aren’t documented, this very closely resembles the Google Client Login API.

If you create an ASP for use in (for example) an XMPP chat client, that same ASP can also be used to read your email over IMAP, or grab your calendar events with Cal DAV. In fact, Eric Grosse and Mayank Upadhyay of Google even call this weakness out in their recent publication about Google's authentication infrastructure: - Authentication at Scale, appearing in IEEE S&P Magazine vol. 1 As it turns out, ASPs can do much, much more than simply access your email over IMAP.

In fact, an ASP can be used to log into almost any of Google’s web properties and access privileged account interfaces, in a way that bypasses 2-step verification!

TL; DR - An attacker can bypass Google's two-step login verification, reset a user's master password, and otherwise gain full account control, simply by capturing a user's application-specific password (ASP).

(With all due respect to Google's "Good to Know" ad campaign) Google’s 2-step verification makes for an interesting case study in some of the challenges that go with such a wide-scale, comprehensive deployment of strong authentication.

(There is even experimental support for this in desktop versions of Chrome; you can enable it by visiting .) Until late last week, this auto-login mechanism worked even for the most sensitive parts of Google’s account-settings portal.

This included the “Account recovery options” page, on which you can add or edit the email addresses and phone numbers to which Google might send password-reset messages.

The simpler of the two was another Client Login-style request, but using the returned That Merge Session URL is the key here.

Tags: , ,