A security firm found it could bypass Google's two-step login verification process, reset a user's master password and gain full control of the account "simply by capturing a user's application-specific password."
Application-specific passwords are passwords generated by Google that you can opt to use instead of your master password. They are long and awkward, and the whole point of them is that they aren't really something you'd ever remember or even store anywhere. The trouble was, users were led to think they could only be used once, but Duo Security said, in a report, that they could in fact be used anywhere — and without a second point of authentication. The trick for the hacker was to obtain the application-specific password, and that's really hard.
Duo shared its findings with Google, and as of Feb. 21, "Google engineers pushed a fix to close this loophole," the security firm said.
A Google spokesperson told NBC News Tuesday it is "not aware of any related abuse of accounts that use 2-step verification, and we increased the security for these accounts last week by increasing the authentication requirement for sensitive account actions."
In other words, while there may have been a vulnerability, Google isn't aware of anyone taking advantage of it, and the recent update likely put an end to the threat.
Furthermore, the threat, outlined by Duo, "required gaining access to an application-specific password (ASP), which was unlikely because ASPs are complex strings of characters that are not designed to be written down or memorized," said Google's spokesperson. "Without a separate vulnerability to obtain an ASP" — that is, without someone already having hacked your account to look up these weird passwords — "these accounts remained protected."
A two-step, or two-factor, verification login basically calls for two different proofs of your identity. Usually the first is a password; the second is a temporary code that's sent to your phone or generated by an app or software.
Google has been using two-step verification since 2010. Yahoo started using it in 2011, and so did Facebook, which refers to it as "login approvals." (You can read more about Google's two-step, or two-factor, verification process here.)
"If an attacker can trick a user into running some malware, that malware might be able to find and extract an ASP somewhere on that user’s system," Duo Security's report said.
Google's fix "helps this situation significantly," said Duo. "Though a compromised ASP could still inflict significant harm on a user, that user should ultimately retain control over his account (and the ability to revoke the ASP at the first sign something has gone wrong)." The ASP alone might help a hacker gain access to your Gmail on a device, for instance, but he or she would still need your master password to mess with your account settings.
While Duo Security's findings are worth noting, the bigger threat for most users is really the fact that we often pick terrible passwords in the first place.
On the bright side, Google said recently that its use of "automated risk analysis" has dramatically reduced the number of compromised Google accounts by 99.7 percent since their peak in 2011.