undefined | Better HN

0 pointsrkangel13y ago0 comments

Yes, you could MITM the attempt to load the settings page, but it would require Alice to be attempting to load the settings page. This is a MUCH rarer activity than just opening her inbox.

0 comments

2 comments · 1 top-level

JackC13y ago· 1 in thread

I think Piskvorr is saying that you could trick Alice into entering the code for the settings page from her email inbox. Once Bob visits the settings page and gets to the two-factor prompt, he pops up a javascript box in Alice's gmail inbox like "Oops, something went wrong with your authentication. You have been sent a new code to enter here: [ ]" Alice says "WTF Google?" and enters the second code, and Bob grabs the code and uses it to access settings.

But even if we assume that Alice is totally hosed once Bob completes a MITM attack, I think you're right that there needs to be two-factor auth to create an app-specific password. It wouldn't protect from MITM, but it would protect from watching over Alice's shoulder, keyloggers, and all sorts of other ways that Bob might get Alice's password without being MITM.

(Edit: Google does require two-factor auth to access www.google.com/account and generate new app-specific passwords, doesn't it? I thought it didn't when I first tried, but that's just because I've already authorized this computer. If that's the case, then I'm inclined to believe that Google has done all it can do. If an attacker controls your secure communications with Google's server, you are out of luck period. If an attacker only has your password, then two-factor auth will keep them out of your email like it's supposed to.)

Piskvorrr13y ago

Yup, just what I was trying to say. Thank you for laying it out in greater detail and more clearly than I've managed.

j / k navigate · click thread line to collapse