November 29, 2019

Bypassing phone verification for Google accounts.

For your security, Google wants to make sure that it's really you. Google will send a text message with a 6-digit verification code. Standard bullshit applies.

I’m still stuck on the CAPTCHA problem. The working hypothesis is that Google does some kind of fingerprinting on the SSL handshake, which means, I have to take the Android SSL stack apart. Curiously, it isn’t build on the normal Java SSL classes, but calls native OpenSSL code instead. So yeah, another one of those custom solution to get a marginal performance boost at the cost of loosing compatibility with the rest of the world. Thanks for that.

Anyway, I needed to know if my login attempts registered at all (“failed login”) or were filtered away entirely by the CAPTCHA before even reaching the login server (spoiler: the later). There’s a security log in the web console, so I tried to log in with Firefox, just to be told that I can’t continue until I surrender my telephone number. Sure thing - not!

So, why can’t I log in? Was it because I did too much testing with that account or because I have a NAT network behind a dynamic IP address and my ISP put me into a different subnet today? Since Google wants a telephone number, no matter which account I try, but I have only been using this one for the CAPTCHA testing, it’s probably an IP address thing. That doesn’t help me, though. Now I can’t be sure that I’m not getting through the CAPTCHA because the Account is in a locked state.

Lucky me, I still have a Raccoon instance lying around with a valid session cookie for the account in question. All I had to do was to download some random app and Google let me log in again in Firefox without prompting for a telephone number. This did, however, not unblock my other test accounts.

Conclusion:

  • Trying to log in from an usual IP address. Triggers an “possible account theft” alarm and forces you to prove your identity by providing a telephone number (how that is suppose to work in case your password actually got hijacked is anyone’s guess — it allows the thief to log out the legitimate owner for good).
  • Instead of surrendering a telephone number, you can also whitelist your IP address in case you still have a valid session cookie for the account (e.g. Raccoon or an Android device), by performing any action (e.g. downloading a random app).