Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
ratorx 4 days ago

I’m struggling to understand the chain of events, because the story starts midway. Is the claim that JUST the 2FA code was enough to pwn everything with no other vulnerabilities? If that’s the case, then that’s a way bigger problem.

Or (given the password database link at the end), is the sequence:

1) various logins are pwned (Google leak or just other logins, but using gmail as the email - if just other things, then password reuse?)

2) attacker has access to password

3) attacker phishes 2FA code for Google

4) attacker gains access to Google account

5) attacker gains access to Google authenticator 2FA codes

6) attacker gains access to stored passwords? (Maybe)

7) attacker gains the 2nd factor (and possible the first one, via the chrome password manager?) to a bunch of different accounts. Alternatively, more password reuse?

I guess the key question for me, was there password reuse and what was the extent, or did this not require that?

Disclaimer: work at Google, not related to security, opinions my own.

davidscoville 4 days ago | parent | next [-]

I think the attacker had my password, and they just needed a recovery method, which was the code I read over the phone.

I have no idea how they had my password, I never share passwords or use the same password. But I hadn’t changed my Google password in a while.

cpncrunch 4 days ago | parent | next [-]

No, if they had had the password they wouldn't have needed to do all of that. They could have just logged in, perhaps just needed the 2FA code. However, you say that you gave them both enhanced security codes (I'm guessing this was a gmail backup key), and you also gave them the 2FA SMS code. These are the only two things you need to take over any gmail account, and it doesn't require knowing the password. It's just purely social engineering.

The only question mark is the email from google. It sounds like it was a scam email, so it would be interesting to know whether/how it was spoofed.

ratorx 4 days ago | parent | prev | next [-]

Gotcha, thanks for clarifying!

And did you have passwords using chrome password manager as well (which were also compromised by the Google account access, and this is how they got access to e.g. Coinbase?), or did they get passwords through some other means and just needed 2FA?

davidscoville 4 days ago | parent [-]

I did have saved passwords in Chrome password manager but they were old. My guess is that the attacker used Google SSO on Coinbase (e.g., "sign in with Google"), which I have used in the past. And then they opened up Google's Authenticator app, signed in as me, and got the auth code for Coinbase.

By enabling cloud-sync, Google has created a massive security vulnerability for the entire industry. A developer can't be certain that auth codes are a true 2nd factor, if the account email is @gmail.com for a given user because that user might be using Google's Authenticator app.

ratorx 4 days ago | parent | next [-]

Hmm, I see what you mean, although technically this is still a 2 factor compromise (Google account password + 2FA code). Just having one or the other wouldn’t have done anything. The bigger issue is the contagion from compromising a set of less related two factors (the email account, not the actual login).

Specifically, the most problematic is SSO + Google authenticator. Just @gmail + authenticator is not enough, you need to also store passwords in the Google account too and sync them.

Although, this is functionally the same as using a completely unrelated password manager and storing authenticator codes there (a fairly common feature) - a password manager compromise leads to a total compromise of everything.

blactuary 4 days ago | parent | prev [-]

You used Google SSO for Coinbase?

4 days ago | parent | prev | next [-]
[deleted]
lokar 4 days ago | parent | prev [-]

Did you reuse that password on another site?

I don’t see how this happens if you use strong passwords without reuse.

nixosbestos 4 days ago | parent [-]

500+ comments in this thread and there's still no information as to what the hella actually happened.

I sleep fine at night, this is a Hallmark of these "omg I got owned and it could happen to you!" posts that never quite add up.

pluc 4 days ago | parent | prev [-]

Passwords don't matter if you have access to the inbox and 2fa codes, you can just reset passwords.

ratorx 4 days ago | parent [-]

But if you get access to the inbox, then you have a compromised device or the password via some other means right?

Inbox access is a fairly big compromise, even without the 2FA codes.

bdangubic 4 days ago | parent | next [-]

Inbox is the biggest compromise of them all IMO. I realized this a decade ago and use a different email for every account that I have. None of them have anything to do with my name in any way, I use 4 random words to create new email for any new account that I need. Accidental takeover of any one account does not lead to total take over of my life :)

pluc 4 days ago | parent | prev [-]

You're right, seems they already had his inbox credentials.

cpncrunch 4 days ago | parent [-]

No, it sounds like they got him to create backup codes, which (along with SMS 2FA code, which he also gave them), that is all they need to take over the gmail account. Job done.

4 days ago | parent [-]
[deleted]