Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not working due to security issue after entering email address. #2

Closed
nikwilliamson opened this issue Sep 6, 2022 · 10 comments · Fixed by #3
Closed

Not working due to security issue after entering email address. #2

nikwilliamson opened this issue Sep 6, 2022 · 10 comments · Fixed by #3
Labels
bug Something isn't working severe

Comments

@nikwilliamson
Copy link

nikwilliamson commented Sep 6, 2022
edited
Loading

When beginning the auth flow, getting an error saying, "Google couldn’t confirm this attempt to sign in is safe. If you think this is a mistake, you can close and try again to sign in.". This happens with and without the headers, and in the web version and the chrome version.

Unable to resolve.

Screen Shot 2022-09-06 at 2 18 34 PM
@AngeloD2022 AngeloD2022 added bug Something isn't working severe labels Sep 6, 2022
@AngeloD2022
Copy link
Owner

Google appears to have made a change to the API. Thanks for the information.

@AngeloD2022
Copy link
Owner

Previously, the extension exploited a vulnerability by generating a fake device challenge for the AuthAdvice endpoint. The vulnerability was that the endpoint was not validating the device challenge token, and so a fake one could take its place. My guess would be that Google may have patched this issue, but that's speculative and unverified.

@nikwilliamson nikwilliamson mentioned this issue Sep 6, 2022
Open
@nikwilliamson
Copy link
Author

@AngeloD2022 any ideas on another solution to get the token?

@AngeloD2022
Copy link
Owner

@nikwilliamson Worst case scenario: I will have to completely reverse engineer the challenge completion process. I am still investigating the issue.

@nikwilliamson
Copy link
Author

@nikwilliamson Worst case scenario: I will have to completely reverse engineer the challenge completion process. I am still investigating the issue.

In the mean time – do you know if there is a way to get a working refresh token from a google dev account?

@AngeloD2022
Copy link
Owner

Okay, well... Unfortunately, it was the worst-case scenario. This is a big headache.

@AngeloD2022
Copy link
Owner

@nikwilliamson Worst case scenario: I will have to completely reverse engineer the challenge completion process. I am still investigating the issue.

In the mean time – do you know if there is a way to get a working refresh token from a google dev account?

To answer your question, no. Currently, there is no other way of obtaining a token besides proxying the traffic sent by the iOS app and recording the refresh token.

@banool
Copy link

banool commented Sep 18, 2022
edited
Loading

Do you have a guide for doing this by chance? I suppose without the token there is no way to use the Google Wifi API?

@r3pwn r3pwn mentioned this issue Oct 6, 2022
Merged
@r3pwn
Copy link
Contributor

r3pwn commented Oct 6, 2022
edited
Loading

Okay, well... Unfortunately, it was the worst-case scenario. This is a big headache.

Headache resolved :)

@olivernybroe
Copy link

Thanks for the fix! I just tested as I needed it and it worked perfectly :)
The chrome store extension is not updated, so had to do it manually.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working severe
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[oauth] use updated oauth flow for refresh_token retrieval
5 participants
@r3pwn @nikwilliamson @olivernybroe @banool @AngeloD2022