The issue has been identified/reported by the RnD Lab at Varutra Consulting. Varutra consulting is an information security consulting and training services company based out of Pune, India founded by Mr. Kishor Sonawane.
This means as soon phone received verification code from GMAIL server it is getting displayed in a readable format to anyone who is having access to the phone or at least at such a distance where he/she can see the screen of a locked phone.
How difficult for you to read a one line SMS displaying on your friend/colleagues LOCKED phone?
Attack Scenario: In today's high tech era, it is not difficult to know someone's (friend, colleague, manager, relative etc.) Gmail Id, mobile number; and match if the mobile number is mapped with Google account.
An attacker on knowing the Gmail Id, phone number of a victim user and having access/reachability/visibility to the victim user's mobile device (even in Security Locked Mode) can initiate a request for verification code to be sent on the mobile number and can read the code popping up in the notification pane. The same can be punched-in online on Google recovery page to reset the victim's password and compromise the Google account and access the account recovery option and by entering the phone number can read the verification code and reset victim's account password and compromise the account.
Following screenshots revealing how a locked phone receives and displays the verification code in SMS notification.
E.g. When tested on SAMSUNG android phones a user even after setting the pattern to lock the screen is vulnerable to this attack. So the root cause being the SMS content displayed in the notification pane of locked android mobile and the real concern becomes, is it really necessary to display the SMS contents as notification?
Attacker on reading the verification code can reset the password of the victim account by entering the verification code and the new desired password.
If you are an android user and having a Gmail account, just have a look at the security options on your phone. Drop a line with the details of brand and OS version if you observe any phones are vulnerable to this issue.
The second issue is as discussed in section 2.
2. Security Issue with Google – account verification code
The above discussed scenario and overall severity level could have been minimized with a complex verification code.
As Google is sending 6 digits verification code which is very simple and easy to read and remember. It takes just 2 seconds for malicious user to read the verification code receiving in SMS on a locked phone.
If the verification code is a combination of alphanumeric characters with the length of more than 8 characters (10 is better), it will become difficult to read the code / remember it.