How To Bypass Google Lock On Revvl 4? The 118 Detailed Answer

Google knows that if your phone is stolen, hackers will sometimes try to break into your phone’s contents or erase it so it can be resold. To prevent this, Google and other mobile phone manufacturers like Samsung have implemented certain security measures to prevent this.

Unfortunately, these security measures can sometimes work against the user. For example, you might find that your Android phone is locked, you forgot your password, you entered the wrong password too many times and so on. If that happens, you’re in a bit of a bind, but don’t worry, thanks to software like Tenorshare’s 4uKey for Android, you’ll know how to bypass Google account verification after reset.

Why Android phone requires Google verification after factory reset?

As we’ve said before, one of Google’s built-in security features in Android is designed to prevent lost or stolen phones from being used by an unauthorized user. While this is useful for protecting your device and its contents from thieves, it can be annoying if you simply forgot your Google account password.

In this case, you may stare at the screen and say, “This device has been reset. to keep signing in with Google account bypass”, especially if you may have forgotten or not had a chance to disable Factory Reset Protection before this happens. Since there’s no way to bypass this screen, you’re pretty much holding an expensive paperweight in your hands until you figure out your Google Account password.

Fortunately, however, this is not the end of the world and if you ever find yourself in such a predicament then don’t worry because we are going to show you how to bypass Google account verification after reset and how to do it Bypass Google lock so you can access your device again.

How to Bypass Google Account Verification on Any Android Phone via 4uKey for Android

If you’ve ever stared at that dreaded screen after forgetting your Google account password on your Android device, you might be a little concerned that you’ll never be able to use that account with your phone again, but luckily the Google -Bypassing verification isn’t too difficult with apps like Tenorshare’s 4uKey for Android.

Why Use 4uKey for Android to Bypass Google Account Verification?

One of the advantages of using 4uKey for Android is that removing the lock on your phone is a simple and straightforward process. The whole process feels almost automated thanks to the way the app has been designed.

By bypassing the lock on your device in case you forget your Google account PIN or password, you can continue to use your phone without having to factory reset it and keep your potentially unsaved data.

It works on a variety of devices, even newer ones that might be running Android 12. It also supports removing the lock screen so you can access your phone’s content. It’s also smart enough to recognize what kind of phone you’re using so it can properly create the right profile.

This is to ensure that the unlocking process is compatible with your phone at the beginning and you don’t end up with a bricked device.

How to use 4uKey for Android

For a step-by-step guide on how to use 4uKey for Android, watch the video and follow the process of the following step.

Download the latest version of Tenroshare 4uKey for Android on your computer. Once installed, open it and select the “Remove Google Lock (FRP)” feature. When you connect your Samsung phone to the computer, you need to select the OS version of your device and click “Start” to continue. Next, Tenorshare 4uKey for Android will send a notification to your frp-locked Samsung device. Now tap on the “View” button on your Samsung device to open the Samsung Galaxy Store and download the Alliance Shield app. After downloading Alliance Shield, follow the on-screen instructions to set up your Samsung device. When you finish the setup process, 4uKey for Android will start removing the Google lock on your Samsung. Your device will reboot and you need to go to Settings > General management > Reset to factory reset your device and bypass FRP lock completely.

Useful methods to bypass Google account verification on Android phones

Tenorshare’s 4uKey for Android is one of the ways you can use to bypass Google’s FRP, but it’s by no means the only method available. If you’d rather not spend money to buy 4uKey, don’t worry, there are other ways you can bypass Google’s FRP and we’ll show you how below.

Use of Google TalkBack

After your Samsung device is factory reset, select a language and connect to a WiFi network. When you reach the page asking for your Google credentials, tap the text field and hold the “@” key to open the settings menu. Select Google Keyboard Settings Tap the three dots icon in the top right corner and select “Help & Feedback”. Select “Use Google Keyboard”. Tap and hold to select any section of text on the screen, then tap Search Web. “Settings” to launch the “Settings” menu In the “Settings” menu, scroll down and tap “About phone”. Tap “Software Information”, find the “Build Number” and tap it 7 times to enter Developer Mode. Go back to the previous menu and tap “Developer options”. Go to OEM Unlock and double-tap Back. Restart your device and reconnect to the WiFi network

The problem with this method is that it is a bit complicated since it enables developer mode. Not everyone may be sufficiently tech savvy to be able to fully understand what is going on, making it a less accessible method.

Bypass FRP via SMS or email

After the factory reset, connect to the internet. Enter an email and select the option to send “via SMS”. Type any message and send it to 112. A notification should appear saying that an error has occurred. Tap the call button and enter *#*4636#*#* and tap the dial button. You will be taken to your phone’s settings. Perform a hard reset and after your phone resets, you should be able to access it again without having to enter your Google credentials

A potential limitation of this method is that it is complicated, similar to the method above. It’s not particularly intuitive and those who don’t have a lot of experience might not be familiar with the overall process. This is in contrast to 4uKey for Android which uses an easy to understand user interface that streamlines the whole process.

Bypass Google FRP without internet access

Insert a SIM card into your locked device. Dial the number of this SIM card with another phone. Answer the call on the locked device and save the contact by tapping “Add new contact”. In the “Add contact” form that opens, enter any sequence of numbers Tap on Save and select “Google”. Create a new Google account. Restart your device. You should now be able to bypass Google’s FRP

This might be one of the easiest alternatives to bypassing Google’s FRP, but one of the downsides is that it requires using another phone. If you don’t have another phone or person to help you, this isn’t that useful.

Frequently asked questions about bypassing Google verification

Q1: Is Tenorshare 4uKey for Android free to use?

Tenorshare’s 4uKey for Android is not free to use. Given all of its features and capabilities, it should come as no surprise that it requires payment to use it. Luckily, it’s not that expensive as it costs $49.95 for a lifetime license, meaning you can use it again and again for years to come.

Q2: How can I delete my Google account after factory reset?

If you need to remove your Google account after a factory reset, maybe because you are giving the phone to someone else or if you are selling it, the best thing to do is to use Tenorshares 4uKey for Android, especially if you forgot your Google account password and must bypass the FRP.

Once you’ve followed the steps above, your device will be like new and you’ll be able to sign in with any Google account you want.

Q3: How to factory reset to avoid google verification?

If you want to avoid all the hassle of finding ways to bypass Google verification, one of the best and easiest ways is to remove your Google account from your phone before doing a factory reset.

Alternatively, you can also perform a factory reset via the Settings menu. You only need to enter the lock screen PIN, password or pattern to unlock the phone for confirmation. You can also remove all lock screen passwords before resetting. These are some of the options you have if you want to avoid this.

Q4: What if you forgot Google account?

If for some reason you have forgotten your Google account password, the above steps are your best option, e.g. B. Using Tenorshare’s 4uKey for Android software. You are also welcome to try any of the alternative methods listed above.

What you should not do is use unauthorized apps, it is for security reasons as some of these apps might be malware in disguise. You should also avoid paying for unknown services from online websites that claim to offer what 4uKey for Android can do. Last but not least, beware of potential scams that claim to allow you to bypass Google’s FRP lock.

Some of these online services are simply clickbait to drive visitors to their website or may require you to provide personal information that will be used to spam or send marketing materials to you.

Bring away

If you ever find yourself in a situation where you can’t use your phone until you verify with your Google account and you need to know how to bypass Google account verification after reset then 4uKey is for you for Android from Tenorshare probably the best bet for you in this situation. With a relatively affordable lifetime license and an easy-to-use interface, what would normally be a headache can be solved in minutes.

FRP is triggered by the Android system when you reset a device with a Google account in it. First of all, you should be able to delete the FRP now that you remember the Google account credentials. Not true? If it doesn’t, reset your password again and try to remember to enter it when the phone asks for it.

If in doubt, remove Google account before doing factory reset. No Google account means no FRP as without an existing account you can’t be prompted to sign in to an account that was used before the reset.

Finally, rooting or unrooting has nothing to do with the FRP. It’s a separate security process as I mentioned above.

FRP or Factory Reset Protection is a security feature on Android devices. Once you register an Android device with a Google account, FRP will be activated automatically. The purpose of firmware reset protection is to protect your device, data and information from falling into the wrong hands. If you have a Samsung Galaxy phone or tab and forgot the unlock pattern or PIN, there is a way to bypass and remove FRP lock on Samsung devices with Odin by flashing the combination file.

If the FRP is enabled on an Android device and you perform a factory reset through the Android recovery menu or other means, you will see the following message when you restart the device.

This device has been reset. To continue, sign in with a Google account previously synced on this device.

You will be prompted to enter the registered phone number or email address to unlock your device.

However, if you reset your Samsung phone from Settings > General management > Reset > Factory data reset, you can easily format your device.

Remove FRP on Samsung with combination file

Many people think that they can bypass or remove FRP lock on Samsung Galaxy just by installing the default firmware via Odin. I remember doing the same thing to fix firmware reset protection on a friend’s Galaxy S7 Edge. The truth is that you cannot remove the FRP lock Google account problem on Samsung phones with a regular firmware flash.

Below I will describe the method to flash combo firmware on Samsung devices to remove FRP lock.

1. Download Samsung firmware

Since we will be using a combination of specific firmware binaries, you will need to download the latest Samsung firmware for your Galaxy device. You can download or obtain the firmware file for your device model from one of the sources below.

2. Create a Samsung combo file

Okay, now that you have downloaded the right firmware for your Samsung Galaxy phone or tab, it’s time to create the combo firmware to remove the FRP lock on your Samsung device.

Follow the steps below to create a combo firmware from the regular firmware files.

Extract the downloaded Samsung firmware zip file. You can use a zip archiver like WinRar, 7Zip, PowerArchiver, etc. for this purpose. Open the extracted folder and you will find 5 firmware binaries including AP, BL, CP, CSC and Home_CSC. Make sure you can see the .md5 extension of the files. If you only see .tar, click the View tab in the Windows Explorer window and check the Filename Extensions option. Now right click on the firmware file that starts with AP in its name, select the option to rename and add a .rar extension after .md5. Then select the BL file and also change its extension to .rar. You can now extract the AP and BL zip files. Open the AP folder, copy the boot.img.lz4 and system.img.lz4 files and paste them into a new folder. Similarly, open the BL folder and move the sboot.img.lz4 filenames to the same new folder. Open the folder where you saved the boot.img, lz4, sboot.img.lz4 and system.img.lz4 files. Select all three files and pack them into one file by selecting Compress into “New Folder.rar” from the Windows context menu. Now change the zip extension of the New folder.rar file to .tar and rename it with the firmware name as shown below.

You have successfully created the Samsung combo file to remove FRP on your Galaxy device.

3. Reset Samsung device and enable USB debugging

Before proceeding with the combination file installation, you must perform a data factory reset. Since you cannot do this from the device settings of your Samsung Galaxy phone or tab, you have to do it from the recovery mode. The method to access recovery mode on Samsung devices varies from model to model. You can refer to my detailed tutorial on how to boot into Samsung recovery mode.

Once you get into the Android recovery menu screen, select wipe data/factory reset. You can use the volume up/down buttons to navigate and the power button to confirm the selection. Perform a data/factory reset and then select the Reboot system now option. When your Samsung device boots up, you will see the factory Samsung binary screen similar to the one shown below. Tap on the mosaic icon in the top left corner of the screen. This will show you the app drawer screen. Navigate to Settings > Developer Options and enable USB Debugging. If you don’t find this option, you can enable developer option on Samsung devices as follows. Now turn off your phone or tablet device by holding the Power button.

Flash Samsung combo file with Odin

Okay, you now have the Samsung combo file you created from the stock firmware. You’ve also enabled USB debugging on your Galaxy device to ensure Odin can do it. You are ready to remove FRP lock on your Samsung phone or tab.

Download the patched version of Odin and extract the zip file to your desktop. Odin3 3.14.1 3B PatcheD (for devices released after 2018)

(for devices released after 2018) Odin3 3.13.3 3B PatcheD (for older Samsung models) Download the latest Samsung USB driver, install it on your Windows PC and reboot your system. Open the Odin folder and launch Odin3.exe as administrator. It’s time to boot your Samsung device into download mode. Connect your device to the computer using a compatible USB cable. When your phone or tablet is recognized by Odin, the ID:COM port will be highlighted. In Odin, click on the Options tab and make sure that only the Auto restart and F. Reset time options are checked there. Then click the AP button and add the Samsung combo file you created earlier. Finally, click the Start button to trigger the installation. Wait for the combination firmware installation to complete and you will be greeted by the PASS!! Message in Odin. Your Samsung Galaxy device will restart automatically.

Just wait for your device to boot up and that’s it. You have successfully removed FRP lock on your Samsung Galaxy smartphone.

Please get permission to use Factory Binary (PIT).

Sometimes Samsung’s security feature blocks the installation of custom firmware and throws the following error on the download mode screen of your Samsung Galaxy device.

Please get permission to use the factory binary (pit).

To fix this, you can flash the PIT (Partition Information Table) file for your device into Odin along with the Samsung combo file. If you don’t know how to get the correct PIT file, read my tutorial which describes the steps to extract Samsung PIT from firmware.

Please remember that when installing the PIT file, you must also enable the “Repartition” option under the “Options” tab in Odin. Also, you need to add the PIT file in Odin by clicking Pit tab in Odin. If Samsung combo file doesn’t help you to remove FRP lock, you should also try NAND erase method with Odin.

When you set up your Android device for the first time, you will be prompted to add a Google Gmail account to the phone. This becomes the primary Google account. Normally Android doesn’t allow you to change the primary account without wiping everything on the device. If you have changed your Gmail address, you can delete the old account without resetting it by clearing the data and cache in the Google Apps application.

To protect your account, we may ask you to verify your identity. You can easily verify your identity through simple methods to unlock your Android device.

screen lock options

If you have set up a screen lock on your Android device, you can use it to verify your identity. Lock screen options include:

Pattern: Draw a simple pattern with your finger.

Draw a simple pattern with your finger. Pin: Enter 4 or more numbers.

Enter 4 or more numbers. Password: Enter a combination of 4 or more letters, numbers, or characters.

Enter a combination of 4 or more letters, numbers or characters. Fingerprint: Touch a sensor with your finger.

solve problems

Fingerprint not recognized

You can only verify your identity with your fingerprint, which already unlocks your device. Make sure you’re using the same finger you normally use to unlock your device.

If you are using the correct finger, make sure of the following:

Your finger is clean and dry.

The fingerprint sensor is not covered and is exposed.

The fingerprint sensor is clean. If it’s dirty, you can clean it with a lens cleaning tissue or a soft, clean cloth.

The screen lock didn’t work

If you lose your internet connection while trying to verify your identity, your lock screen won’t work. Make sure you have a consistent internet connection while using your screen lock to verify your identity.

Tap Try a different method to choose a different method of verifying your identity.

Q. Is there a way to use Gmail’s two-step security system if you don’t have a working cellular signal – or even a cell phone that can receive text messages with the codes required to log in?

A. While codes sent via text message are a common and convenient way to use Google’s two-step verification system for account security, Google has developed several other ways to deliver the codes. You don’t need to have an active cellular signal or even a cell phone.

If you are traveling to a place where you have no signal or no way to receive text messages, you can generate a set of 10 backup codes in advance and print them out to take with you. Use one of the printed codes as a second verification step each time you log into your account.

Bypassing Google’s two-factor authentication

TL;DR – An attacker can bypass Google’s two-step login verification, reset a user’s Master Password, and otherwise gain full account control simply by capturing a user’s application-specific password (ASP).

(With all due respect to Google’s “Good to Know” advertising campaign)

Misuse of Google’s (not so) application-specific passwords

Google’s two-step verification provides an interesting customer story regarding some of the challenges that come with such a widespread, pervasive deployment of strong authentication. In order to make 2-Step Verification usable for all of their customers (and to integrate it into their fairly sprawling ecosystem without breaking everything), Google’s engineers had to make a few compromises. In particular, with 2-step verification, a notion of “Application Specific Passwords” (ASPs) emerged.

A few months ago we found a way to (abuse) use ASPs to gain full control over Google accounts, completely bypassing Google’s two-step verification process. We shared our findings with the security team at Google, and recently heard from them that they’ve made some changes to mitigate the most serious of the threats we’ve detected. Here’s what we found:

Application-specific passwords

Generally, once you enable 2-Step Verification, Google will require you to create a separate application-specific password for each application you use (hence “application-specific”) that doesn’t support 2-Step Verification logins. Then use this ASP instead of your actual password. More specifically, you create ASPs for most client applications that don’t use web-based login: email clients that use IMAP and SMTP (Apple Mail, Thunderbird, etc.); Chat clients that communicate via XMPP (Adium, Pidgin, etc.) and calendar applications that sync with CalDAV (iCal, etc.).

Even some of Google’s own software initially required the use of ASPs – e.g. to enable Chrome’s syncing features or to set up your Google account on an Android device. More recently, these clients have generally transitioned to using OAuth-style methods. On this model, when you sign in with a new app or device for the first time, you’ll see an authorization prompt—including 2-Step Verification—in a web view. After a successful login, the Google service returns a “token” with limited access, which is used to authenticate your device/application in the future.

In fact, OAuth-style tokens and ASPs are notionally very similar – in either case, you end up creating a unique authorization token for each different device/application that you connect to your Google account. Also, each token can be revoked individually without affecting the others: if you lose your smartphone, you can make sure it no longer has access to your GMail account without having to remember a new password.

So, the main differences between OAuth tokens and ASPs are:

OAuth tokens are created automatically, while ASPs are a thoroughly manual affair. You’ll need to sign in to Google’s account settings page to create one, and then transcribe (or copy/paste) it into your application.

OAuth tokens use a flexible authorization model and can be restricted to access specific data or services in your account. ASPs, on the other hand, are actually not application specific as far as enforcement goes!

This second point deserves a little more attention. For example, if you create an ASP for use in an XMPP chat client, the same ASP can also be used to read your email via IMAP or retrieve your calendar events using CalDAV. This shouldn’t come as much of a surprise. In fact, Google’s Eric Grosse and Mayank Upadhyay even cite this weakness in their recent publication on Google’s authentication infrastructure:

“Another weakness of ASP is the false impression that it offers application-limited rather than full account access.” – Authentication at Scale, published in IEEE S&P Magazine vol. 11, No. 1

Automatic login with Chrome

chrome://flags/

As it turns out, ASPs can access your email in much, much more than just IMAP. In fact, an ASP can be used to log into almost all of Google’s web properties and access privileged account interfaces. After you associate your device with a Google Account, the browser allows you to use your device’s existing authorization to skip Google’s web-based sign-in prompts. (There’s even experimental support for it in desktop versions of Chrome; you can enable it by visiting .)

Up until the end of last week, this automatic login mechanism was working for even the most sensitive parts of Google’s account settings portal. This included the Account Recovery Options page, where you can add or edit the email addresses and phone numbers to which Google may send password reset messages. In short, if you can access the account recovery options page for a Google account, you can take complete control of that account away from the rightful owner.

So, to recap:

You can use an ASP to link an Android device (or Chromebook, etc.) to a Google account and

This linked device allowed you (until recently) to access account recovery options (using auto-login to bypass all login pages), change password reset settings, and gain full control over the account.

This was enough to see that ASPs posed some surprisingly serious security threats, but we wanted to understand how the underlying mechanisms actually worked.

Want to learn more about two-factor authentication? Download our two-factor authentication assessment guide

Technical details

In his excellent Android Explorations blog, Nikolay Elenkov documented a fairly thorough investigation of the automatic web login mechanism on Android. This was a great starting point, but still left some gaps for our purposes. We wanted to learn how to use Google’s auto-login mechanism without even using an Android device (or Chromebook, etc.).

To do this, we set up an intercepting proxy with a custom CA certificate to monitor network traffic between an Android emulator instance and Google’s servers. When adding a Google account to the emulator (using an ASP) we saw the following request:

POST /auth HTTP/1.1 Host: android.clients.google.com … accountType=HOSTED_OR_GOOGLE& Email=user%40domain.com &has_permission=1&add_account=1& EncryptedPasswd=AFcb4… &service=ac2dm&source=android& androidId=3281f33679ccc6c6 &device_country=us&operatorCountry =us&lang=en&sdk_version=17

The response text included:

Token=1/f1Hu…

Although the URL and some of the parameters are undocumented, this is very similar to the Google ClientLogin API. To recreate this request ourselves, we would just need to figure out what values ​​to fill in for the EncryptedPasswd and androidId parameters. It turns out that androidId is simple; We’re assuming this is the same “Android ID” mentioned in the Android API docs: a randomly generated 64-bit value intended to uniquely identify an Android device.

Another blog post by Elenkov made us believe that EncryptedPasswd could be our ASP encrypted with a 1024-bit RSA public key contained in the Android system. EncryptedPasswd actually consisted of 130 bytes of (Base64 encoded) binary data, so this seems entirely possible. But before we delve too deeply into this, we decided to replace the EncryptedPasswd parameter with the (unencrypted) passwd parameter from the ClientLogin API documentation, set to our ASP:

POST /auth HTTP/1.1 Host: android.clients.google.com … accountType=HOSTED_OR_GOOGLE& Email=user%40domain.com &has_permission=1&add_account=1& Passwd=xxxxxxxxxxxxxxxx &service=ac2dm&source=android& androidId=3281f33679ccc6c6 &device_country=us&operatorCountry=us&lang= en&sdk_version=17

That worked! Again we received a response that appeared to contain a valid token. The token created by the android.clients.google.com endpoint was now visible in our account’s “Connected sites, apps, and services” UI and appeared to offer “Full control of the account”:

Continuing with our captured traffic, we then saw two different workflows for the browser’s auto-login feature. The simpler of the two was another ClientLogin-style request, but using the returned token:

POST /auth HTTP/1.1 Host: android.clients.google.com … accountType=HOSTED_OR_GOOGLE& Email=user%40domain.com &has_permission=1& Token=1%2Ff1Hu… & service=weblogin %3 Acontinue%3Dhttps%253A %252F%252Faccounts.google.com%252FManage Account &source=android&androidId=3281f33679ccc6c6&app=com.android.browser&client_sig=61ed377e85d386a8dfee6b864bd85b0bfaa5af81&device_country=us&operatorCountry=us&lang=de&sdk_version=17.7

This request returned a response body like this:

Auth=https://accounts.google.com/MergeSession?args=continue%3Dhttps%253A%252F%252Faccounts.google.com%252FManageAccount&uberauth=AP…&source=AndroidWebLogin Expiry=0

From this request, we found that the general format for the service parameter was weblogin:continue=url_encode(destination_url). We then decided to specify this service in our original request – so using an ASP instead of the token (and without trying to determine the origin of an unknown client_sig parameter):

POST /auth HTTP/1.1 Host: android.clients.google.com … device_country=us&accountType=HOSTED_OR_GOOGLE&androidId=3281f33679ccc6c6& Email=user%40domain.com &lang=en& service=weblogin%3Acontinue%3Dhttps%253A%2F%2Faccounts.google .com%2FManageAccount &source=android& Passwd=xxxxxxxxxxxxxxx &operatorCountry=us&sdk_version=17&has_permission=1

This gave us back the same form of response:

Auth=https://accounts.google.com/MergeSession?args=continue%3Dhttps%253A%252F%252Faccounts.google.com%252FManageAccount&uberauth=AP…&source=AndroidWebLogin Expiry=0

This MergeSession URL is the key here. After making this API call, if you open it in an unauthenticated web browser (you must do this quickly; it has a very short expiration window), you will be immediately logged into your account settings page with no authentication prompt!

So, with just a username, an ASP, and a single request to https://android.clients.google.com/auth, we can log into any Google web property without a login prompt (or 2-step verification)!

Google’s fix

An attacker could pass https://accounts.google.com/b/0/UpdateAccountRecoveryOptions?hl=en&service=oz as the target URL in the API request and the resulting MergeSession URL would immediately take them to the “Account Recovery Options”. . Page where they could change the password recovery email address to reset the victim’s master password.

Similarly, an attacker could pass https://accounts.google.com/b/0/SmsAuthConfig?hl=en and the resulting URL would take them to the 2-step verification settings where they could create ASPs/ edit , or disable 2FA for the account altogether.

Was that so bad?

As mentioned, this worked even in the most sensitive sections of Google’s account settings portal. An attacker could use a victim’s ASP to perform a variety of privileged actions: this hasn’t been the case since February 21, when Google engineers released a fix to close this vulnerability. As far as we can tell, Google now maintains a per-session state to identify how you authenticated – did you log in with a MergeSession URL or with the normal username, password, and two-step verification flow? The account settings portal only allows you to access security-related settings in the latter case (i.e. if you logged in with a MergeSession URL, you will be presented with a two-step username/password/confirmation prompt that you cannot skip.) We believe that it’s a pretty big gap in a strong authentication system if a user still has some sort of “password” sufficient to take full control of their account. However, we’re still confident that – even before the fix was rolled out – it was clearly better to enable Google’s 2-Step Verification than not.

Today, attackers still have a lot of success using some very simple methods to take over accounts. For example through:

Creating a phishing site to trick users into revealing their passwords.

Exploiting the fact that users often share passwords between websites by cracking a (poorly protected) password database from one website and using the recovered passwords to try to break into user accounts on other websites.

Both of these examples represent types of attacks that should be prevented simply by users using common sense and good digital hygiene – i.e. H. do not use the same password on more than one website and do not click on suspicious links in email messages. Unfortunately, this type of “user training” program rarely works well in practice (and may not even make good business sense).

But even with ASPs almighty, Google’s two-step verification system should mitigate both types of attacks, even if users continue to do “stupid” things. Application-specific passwords are generated by Google and are not intended for users to remember, so it is extremely unlikely that a user would share one with other websites. Similarly, if a phishing site prompts users to enter an application-specific password, we imagine that its success rate would be far lower (perhaps orders of magnitude lower) than normal.

However, all-powerful ASPs still pose serious damage potential. If an attacker can trick a user into running malware, that malware could potentially find and extract an ASP somewhere on that user’s system (for example, Pidgin, a popular chat client commonly used with Google Talk, stores passwords in plain text in an XML file). Additionally, thick client applications, the main consumers of ASPs, are quite notorious for poor SSL certificate validation, potentially allowing ASPs to be caught via on-line MITM attacks.

Google’s fix helps a lot in this situation. Although a compromised ASP could still cause significant damage to a user, that user should ultimately retain control of their account (and have the ability to revoke the ASP at the first sign something went wrong). However, we strongly believe in the principle of least privilege and would appreciate it if Google implemented some means to further restrict the privileges of individual ASPs.

*Update #1*

*Update #2*

Disclosure Schedule

PS

Google has updated its statements when an ASP is generated to warn users of their potential risk: nCircle’s Craig Young presented at the BSides event co-hosted with RSA!2012/07/16: Duo this week about similar ASP/2SV problems Researchers confirm the existence of an ASP weakness. 07/18/2012: Issue reported to [email protected]. 2012-07-20: Communicated with the Google security team to resolve the issue. 7/24/2012: The issue has been confirmed by the Google security team and classified as “expected behavior”. 2013-02-21: Fix provided by Google to prevent ASP initiated sessions from accessing sensitive account interfaces. 02/25/2013: Disclosure by Duo. Inspired to enable two-factor authentication with your Google account? You don’t need to download another app. We recently added third-party account support to Duo Mobile, so now your business and personal accounts can all live in one place!