lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <46201AB5-4214-4B1C-B04D-1B090F3A63B6@gmail.com>
Date: Mon, 30 Jul 2012 09:46:17 -0700
From: andfarm <andfarm@...il.com>
To: Pablo Ximenes <pablo@...en.es>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: 
 Security Problem with Google’s 2-Step Authentication

On 2012-07-30, at 07:41, Pablo Ximenes <pablo@...en.es> wrote:
> I'd like to share with you one of my findings that failed to get
> Google's Security Reward. Although Google doesn't consider it a
> security problem, some might find it at least amusing if not
> interesting.

>>From the linked article, http://ximen.es/?p=653 -
> I found out they have a time window of 10 minutes in which any of the 20 OTP passwords are valid. [...] I have suggested invalidating all the time window (all the 20 OTPs) [when a user uses an OTP...]

Invalidating the entire window would make you unable to authenticate using OTP more than once every 10 minutes. In any case, I'm having a hard time imagining what sort of threat model which make this necessary -- if you can somehow predict a user's OTP code for some point in the future, you could go ahead and predict one that's even further in the future (outside the window of invalidated keys), and use it when that time arrives.

> or at least they could synchronize accounts.google.com’s watch with the user’s at some point, like some banks do.

Current versions of Google Authenticator have an option to do exactly this. The 10-minute window seems kind of wide; I'd imagine that it was introduced before the time sync option was available, for compatibility with devices that are on cell networks with bad time servers.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ