[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] =?windows-1252?q?Security_Problem_with_Google?=
From:       andfarm <andfarm () gmail ! com>
Date:       2012-07-30 16:46:17
Message-ID: 46201AB5-4214-4B1C-B04D-1B090F3A63B6 () gmail ! com
[Download RAW message or body]

On 2012-07-30, at 07:41, Pablo Ximenes <pablo@ximen.es> wrote:
> I'd like to share with you one of my findings that failed to get
> Google's Security Reward. Although Google doesn't consider it a
> security problem, some might find it at least amusing if not
> interesting.

> From the linked article, http://ximen.es/?p=653 -
> I found out they have a time window of 10 minutes in which any of the 20 OTP passwords are \
> valid. [...] I have suggested invalidating all the time window (all the 20 OTPs) [when a user \
> uses an OTP...]

Invalidating the entire window would make you unable to authenticate using OTP more than once \
every 10 minutes. In any case, I'm having a hard time imagining what sort of threat model which \
make this necessary -- if you can somehow predict a user's OTP code for some point in the \
future, you could go ahead and predict one that's even further in the future (outside the \
window of invalidated keys), and use it when that time arrives.

> or at least they could synchronize accounts.google.com’s watch with the user’s at some point, \
> like some banks do.

Current versions of Google Authenticator have an option to do exactly this. The 10-minute \
window seems kind of wide; I'd imagine that it was introduced before the time sync option was \
available, for compatibility with devices that are on cell networks with bad time servers. \
_______________________________________________ Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]