Read on Twitter
PSA: Google no longer requires 2FA credentials to disable 2FA. And doesn't send you a notification about it. Lock down your stuff.
This PSA was brought to you by: someone figured out one of my machines was misconfigured and notified me by trying to get into a lot of stuff (and mostly failing).
Time to burn everything to the ground
Time to burn everything to the ground
I am extremely pissed at myself and will adjust my paranoia levels accordingly moving forward.
PSA part 2: after disabling your Google 2FA, an attacker can go to an online "Password Manager" and see aaaaaaall those passwords you saved in Google Chrome. https://mobile.twitter.com/fasterthanlime/status/1278645178044121088
Very tempted to completely gtfo Google services right now.
Did I fuck up in a major way a few weeks ago, enabling this whole thing to happen? Absolutely yeah. Am I happy about the way Google is handling my credentials, including *storing all password ever in plain text*?
Nope. Pretty damn pissed.
Nope. Pretty damn pissed.
This is doing numbers (as it should, it's pretty wtf), a prerequisite for the attack is having access to a valid google session for, like, 2 minutes.
That's where I fucked up - but also, those are things that happen, various security measures *should* mitigate even that.
That's where I fucked up - but also, those are things that happen, various security measures *should* mitigate even that.
Gonna delete all of this as soon as "well that's on you" fuckers show up disregarding the bigger issue, so, tell your friends.
So, yeah, if you're using a proper password manager, you might want to take a look at https://passwords.google.com and scrub it completely.
Re APP mentions: thanks for the tip, wish I knew about this back then, but also, I think moving forward, my Advanced Protection Program is going to ditch Google & Chrome completely
Correction: Google probably doesn't store your password in plaintext, but it knows how to decrypt them well enough to show it as part of a webpage. (I seriously doubt it's decrypted client-side..) https://mobile.twitter.com/ericlaw/status/1278718006722510848
More on Google Password Manager storage: there's two encryption methods.
One of them makes your Google account a single point of access to all your stuff. https://mobile.twitter.com/Diana_InTheDay/status/1278718817057878017
One of them makes your Google account a single point of access to all your stuff. https://mobile.twitter.com/Diana_InTheDay/status/1278718817057878017
There's a (scattered) subthread happening right now re: password manager threat models.
tl;dr Google's pwd manager has a very different security boundary than, say, 1Password. And that's what turned my fuckup from "major" to "nuclear" https://mobile.twitter.com/ericlaw/status/1278720249160970242
tl;dr Google's pwd manager has a very different security boundary than, say, 1Password. And that's what turned my fuckup from "major" to "nuclear" https://mobile.twitter.com/ericlaw/status/1278720249160970242
The password manager thread concluded and my assessment is: the defaults are *bonkers* (don't use them!) and the "disabling 2FA" without 2FA auth (even when enrolled in APP) is downright irresponsible.
Got @'d by a Google security engineer: the reason for "only asking password" when disabling 2FA is:
- avoid desensitizing users to 2FA prompts
- OS lock screen with password is the "second factor"
Get ouuuuuuuuut of here.
(source is in my mentions, might get deleted)
- avoid desensitizing users to 2FA prompts
- OS lock screen with password is the "second factor"
Get ouuuuuuuuut of here.
(source is in my mentions, might get deleted)
I would absolutely hate to be on the other end of this thread b/c we are all people but I strongly disagree with this security model and would recommend staying very very far away from it
Re: https://mobile.twitter.com/fasterthanlime/status/1278725966370607104
I may have misread, not sure if "screen lock and password" is OS-level or browser-level, either way I'm "???"
I may have misread, not sure if "screen lock and password" is OS-level or browser-level, either way I'm "???"
I ended up doing a whole write-up on the Google 2FA thing: https://twitter.com/fasterthanlime/status/1278785482462289920?s=19
Finally the "you just don't understand password managers" crowd showed up but I'm going to leave the thread up, since many are hearing about this for the first time.
