Don’t get me wrong. Google 2-Step verification is VERY secure! Way more secure than not having it. And gmail is the most secure free email service. But there is one flaw. According to Google, you are not supposed to be able to login and gain full access to your account with just a application specific password. Application specific passwords are designed to use with applications that aren’t compatible with 2-step verification (For example: outlook, thunderbird, sparrow, etc). But there is one flaw….Google Notifier.
Google Notifier notifies you when you get emails, it can also log you into your account (on your web browser) to check your email. To sign into this app you use a application specific password. Therefore bypassing 2-step verification.
Must have access to the internet
Must have gmail account
Have Google 2-step verification installed
Here is how it works…
Once you have the application specific password sign into Google Notifier. Once signed in click on “Go to inbox”. This will take you directly to your gmail account. Once you are there you have FULL ACCESS to everything and can change ANYTHING you want without having to type in a password. If after a coupole minutes it asks for a password, just click on “Go to inbox” again. That should give you another minute or two to do whatever you like.
There are a couple of legitimate reasons for doing this. For example, you forgot your email password and don’t know the security question. Well you could just use an app like this to recover your application specific password and then log in using google notifier. Then all you would have to do is change the security question (you don’t need a password) and voila, you can recover your account by answering your new security question.
This is scary that it is that simple. Anyone could do it! If ANYONE got ahold of your computer they could gain access to your google account and get access to everything (bank account, Paypal, Facebook, etc), and you wouldn’t even know it…until it was to late!