Exploring the Insecurity of Google Account Registration Protocol via Model Checking

Abstract

People nowadays use online service accounts (e.g., Gongle, Facebook, Twitter) to access certain services. Among them, Google accounts have become increasingly important for users. Not only do many Google services (e.g., Gmail, Google Voice, Google Play, etc.) require them, but many online services also trust and rely on them for operational needs (e.g., login based on Google accounts). This trend introduces a new type of attacks that create a large number of fake, but valid, Google accounts. The fake Google accounts allow the adversary to launch various cyber attacks towards Google account-related services. It motivates us to conduct an empirical security study on the Google account registration service. In this paper, we apply model checking techniques to systematically analyze the insecurity of Google account registration service. We develop a model-checking tool, GAcctAnalyzer, which consists of two phases: (1) service screening phase, which generates counterexamples from the violation of desired properties, and (2) experimental validation phase, which validates the counterexamples through real experiments. We use GAcctAnalyzer to discover four security vulnerabilities including design defects, operational slips. etc. Based on the discovered vulnerabilities, we devise two practical attacks against mobile users and Google: fake Google account generation and Google text/voice spamming attack. They can not only threaten the security of mobile applications and online services, but also cause the Google company to receive user complaints and lawsuits. We finally confirm the feasibility of these attacks through experiments, assess the real-world impact, and propose recommended solutions.