Russian Hackers Use OAuth to Circumvent Google Two Step Authentication

Last Updated: April 26, 2017

Remember the reports that Russian hackers were involved at large in the last US elections? Turns out, they’re back at it, and they’re more menacing than ever. This time, they’re breaking into Gmail accounts, and they’re doing it in a way that even Google’s Two Step Authentication isn’t able to prevent.

The group of hackers, that calls itself “Pawn Storm” or “Fancy Bear” is sending out phishing emails disguised as warnings from Google, informing people about multiple attempts being made to access their accounts, and recommending that they use “Google Defender” – a fake app pretending to be a Google app. When unsuspecting users click on the seemingly harmless “Install Google Defender” link, and then “Allow” the app access to their Google account, they are inadvertently handing over OAuth tokens to the hackers.

russian hackers circumvent google two step authentication one

In layman terms, if the hackers have OAuth tokens for your account, their application can access your Google account without ever needing your password. It’s incredibly worrying, because OAuth is meant to be a convenience, not a nuisance. Experts have always warned that OAuth can be used to malicious effect; and now it has.

Quite honestly, two step authentication is one of the most secure ways of preventing unauthorised access to your account. It works because it needs not just the password, but also a unique code sent to the user’s phone, in order to allow access to the Google account. It’s important to understand that it’s not really the two step authentication that’s failing here, it’s the cleverness of the phishing attack, and the inability of users to recognise a phishing email, that the hackers don’t really even need to worry about two step authentication.

LEAVE A REPLY