In case of issues in accessing GMAIL services, user is been provided with the option to reset the account password by simply asking Google to send a verification code on the pre-registered mobile number.
On the other hand, Android (mobile operating system from Google) based devices are bundled with security features to keep the privacy of user data/information intact. The user can opt to set the security level from none to Password (High), this ensures that, to access the mobile device and information within it, the user needs to pass through the required security validation, kind of authentication.
However, the issue described here, does not need you to punch-in any type of security code or pattern to read the arrived SMS content and thus facilitate in compromising the Google account configured to use the said mobile phone.
The issue has been identified/reported by the RnD Lab at Varutra Consulting. Varutra consulting is an information security consulting and training services company based out of Pune, India founded by Mr. Kishor Sonawane.
The issue has been identified/reported by the RnD Lab at Varutra Consulting. Varutra consulting is an information security consulting and training services company based out of Pune, India founded by Mr. Kishor Sonawane.
Lets have a look at the two different issues and how to use them for hacking a Gmail account. The first issue is discussed below,
1. Android phones/tablets SMS functioning: In case of forgotten password, User needs to go to "can't access your account?" link and make a choice from various recovery options to reset the account password. In this case, the user selects to receive a text message with a verification code on her pre-configured mobile number.
Once the verification code is sent on the mobile number, Google prompts user to enter the code.
As Discussed earlier below are the screen lock options on an android phone (from 3-5). If user selects to configure any one from option 3-5, he/she needs to feed-in the same for accessing the device and information;
This means as soon phone received verification code from GMAIL server it is getting displayed in a readable format to anyone who is having access to the phone or at least at such a distance where he/she can see the screen of a locked phone.
How difficult for you to read a one line SMS displaying on your friend/colleagues LOCKED phone?
Attack Scenario: In today's high tech era, it is not difficult to know someone's (friend, colleague, manager, relative etc.) Gmail Id, mobile number; and match if the mobile number is mapped with Google account.
An attacker on knowing the Gmail Id, phone number of a victim user and having access/reachability/visibility to the victim user's mobile device (even in Security Locked Mode) can initiate a request for verification code to be sent on the mobile number and can read the code popping up in the notification pane. The same can be punched-in online on Google recovery page to reset the victim's password and compromise the Google account and access the account recovery option and by entering the phone number can read the verification code and reset victim's account password and compromise the account.
Following screenshots revealing how a locked phone receives and displays the verification code in SMS notification.
Wait, if you could not read the 6 digits verification code in first shot then you can send the request again. Google does not take care to send random code for multiple tries.
E.g. When tested on SAMSUNG android phones a user even after setting the pattern to lock the screen is vulnerable to this attack. So the root cause being the SMS content displayed in the notification pane of locked android mobile and the real concern becomes, is it really necessary to display the SMS contents as notification?
Attacker on reading the verification code can reset the password of the victim account by entering the verification code and the new desired password.
The android 4.1 and above seems to have implemented the controls and thus are no more showcase this issue. But if the phone is without any security lock then it is still vulnerable.
If you are an android user and having a Gmail account, just have a look at the security options on your phone. Drop a line with the details of brand and OS version if you observe any phones are vulnerable to this issue.
The second issue is as discussed in section 2.
2. Security Issue with Google – account verification code
The above discussed scenario and overall severity level could have been minimized with a complex verification code.
As Google is sending 6 digits verification code which is very simple and easy to read and remember. It takes just 2 seconds for malicious user to read the verification code receiving in SMS on a locked phone.
If the verification code is a combination of alphanumeric characters with the length of more than 8 characters (10 is better), it will become difficult to read the code / remember it.
- None
- Swipe
- Pattern
- PIN
- Password
This means as soon phone received verification code from GMAIL server it is getting displayed in a readable format to anyone who is having access to the phone or at least at such a distance where he/she can see the screen of a locked phone.
How difficult for you to read a one line SMS displaying on your friend/colleagues LOCKED phone?
Attack Scenario: In today's high tech era, it is not difficult to know someone's (friend, colleague, manager, relative etc.) Gmail Id, mobile number; and match if the mobile number is mapped with Google account.
An attacker on knowing the Gmail Id, phone number of a victim user and having access/reachability/visibility to the victim user's mobile device (even in Security Locked Mode) can initiate a request for verification code to be sent on the mobile number and can read the code popping up in the notification pane. The same can be punched-in online on Google recovery page to reset the victim's password and compromise the Google account and access the account recovery option and by entering the phone number can read the verification code and reset victim's account password and compromise the account.
Following screenshots revealing how a locked phone receives and displays the verification code in SMS notification.
E.g. When tested on SAMSUNG android phones a user even after setting the pattern to lock the screen is vulnerable to this attack. So the root cause being the SMS content displayed in the notification pane of locked android mobile and the real concern becomes, is it really necessary to display the SMS contents as notification?
Attacker on reading the verification code can reset the password of the victim account by entering the verification code and the new desired password.
If you are an android user and having a Gmail account, just have a look at the security options on your phone. Drop a line with the details of brand and OS version if you observe any phones are vulnerable to this issue.
The second issue is as discussed in section 2.
2. Security Issue with Google – account verification code
The above discussed scenario and overall severity level could have been minimized with a complex verification code.
As Google is sending 6 digits verification code which is very simple and easy to read and remember. It takes just 2 seconds for malicious user to read the verification code receiving in SMS on a locked phone.
If the verification code is a combination of alphanumeric characters with the length of more than 8 characters (10 is better), it will become difficult to read the code / remember it.
Solution to the problem:
Just displaying a notification of SMS being received and not showing the actual content of SMS on the home screen of a locked android mobile phone can achieve the best remediation of this issue. This behavior should be implemented for unlocked as well as locked phones.
Also, Google can use more complex verification code by combination of alphanumeric and increased length.
Considering the ease of usability if Google cannot change the complexity of verification code then at least they can generate random codes on each single request.
Stay tuned with us on Facebook Page or Twitter.
