Google asks for a second one-time password when a user has activated two-factor authentication on his / her account. This password can either be generated by a smartphone app or it may be delivered via SMS.
In case there are applications that need to interact the Google accounts i.e. email clients for example, Application Specific Passwords (ASP) are used. In place of normal passwords ASPs are used by such programs as and when access to a user’s account is required for downloading emails, contacts, calendar etc. The problem here is that if someone is able to intercept the ASP, they will have access to a user’s mails, contacts and other details. But, this shouldn’t actually allow a malicious user to completely take over the account.
This is what the researchers over at Duo Security were able to do – completely take control of a user’s account through the use of ASP that was meant for Android. Researchers were able to take over the account, change the current password on the account and even disable two-factor authentication.
The vulnerability was first discovered in July of 2012, but the fix from Google came after 7 months.