Hacking Google Two Factor Authentication mobile app code generator

Ok, so before you all get excited, Uncle Santa here is NOT going to show how to hack the Google 2 factor authentication fortress. What follows below is a log of my experiment that led me to slightly bypass 2 factor authentication using a bit of trickery. Then again, if this is indeed a hack then feel free to send me goodie bags 😉

I am a guy who spends a lot of his waking time on the cloud. Always on the move yet constantly stay connected with my clients and partners. A few of the devices we use on the move are actually shared between the folks here at RDA. Personally, I am extremely particular on keeping 3rd party eyes off my data, especially my emails (sales secrets, prospects & leads kinda stuff), I signed up for Google’s 2 factor authentication. I get a small app that lives on my phone and every time I want to log in to my Gmail account I have to input my password in my browser followed by a 6-digit code generated in my mobile app. This code is valid only for a minute from the moment its generated for me. Feeling pretty much secure, I was., until last week when things started getting a bit quirky.

A weird issue with my mobile phone pushed back the clock to 10 minutes. Unknown of this, I was trying to log in to my gmail via chrome web browser. I entered my password and it greeted me with a pass code form. Now to whip out my mobile phone, start the app, copy the code and voila’ – Nothing happened. Google threw “Code invalid” prompt. For a minute I was confused. Then, Yoda decided to investigate!

I noticed the wrong time zone in my mobile. I fast forwarded the time by 20 minutes, generated a new pass code, copied it down on to my notepad. Now, as per Google, each pass code generated is supposed to be valid ONLY for one minute. Time to put it to test.

Time in my Mac — 10:45 am (correct time as per IST)

Time in my mobile — 11:00 am (I fast forwarded by 15min) Pass code generated by the Google 2 factor app. Noting it down at 10:45am.

Now to wait for 15 minutes until the time is actually 11:00 am

11:00 am — Moment of truth — I enter my password. Google asks me to enter a pass code. I use the pass code that I generated 15 minutes earlier. And Voila! Google lets me log in!

Now, I am not claiming to have hacked Google’s security features, heck, Google might very well be aware of this flaw but decided not to fix it as the security guys here at RDA quote “Security is always about finding a fine point of balance, I mean, you can’t spend 100K protecting an asset worth less than half of it”

So now, its back to sleepless nights. I am going to be very paranoid about letting people use my phone now, as I know all it takes for someone is to change the data:time on my mobile phone, generate a pass code, and use the pass code to access my email accounts. However, the chances of someone cracking your password and successfully pulling off a stint like this is extremely low but not impossible.

You don’t have to worry about leaving your phones on your desk as well, as the chances of someone flicking your phone, breaking its screen lock passcode or pattern, then going through the hassle of changing time, generating a key code blah blah is close to zero.

Who knows, with a bit of social engineering or breach of trust, I think I could pretty much break into all my colleagues email IDs here 😉 Meanwhile, you folks out there who rely on 2-factor authentication, keep your mobile devices safe from prying eyes and *cough* *cough* hands, *cough* ahem!

Leave a Reply

Your email address will not be published. Required fields are marked *