Right. This is MITM attack and they can defeat most of 2FA out there today.

One technique that might help is to make user choose a picture during account registration. During login show that picture, if user does not see correct picture he would suspect something.

It does not have to be picture, could be style or background of login component.

If the server just knows what picture is attached to my account, couldn't this attacker simply request the picture on my behalf and then show it to me?

Hmm that's actually a good point. I was going to suggest they should tie the picture to a browser rather than an account name, so they can only send the cookies to servers behind the login subdomain -- this would protect you from the attacker requesting the image on your behalf.

Of course the problem with that approach is when you're using different browsers, the image will be different every time.

Maybe a solution would be:

- ask user for username only - set cookie based on username - show image associated with account - ask for password

That should theoretically work on every browser and protect against cross-site requests. Of course this method has its own caveats though.

Edit: never mind. I hadn't thought it through. Of course the attacker can send your username through their page and fetch the image then display it. So the only approach I can think of that would work is tying the image to a browser rather than an account.

What's stopping the attacker from reading the user's browser data and replaying it to Google?

Cookies are not arbitrarily sent to any server. If Google has a separate subdomain they use for authentication (say login.google.com), they can instruct your browser to only send the relevant cookie to that subdomain.

Good point, though it sounds like it'd very challenging to train users to notice the absence of a special image... especially when it's normal for that image to disappear whenever they use a different browser or clear cookies.

Agreed. Yahoo actually tried that for a while, but I believe they stopped using it for that very reasons: people don't notice.

http://security.yahoo.com/sign-seal-000000996.html

Here is how: whenever login happens from PC with not correct/current cookies, unknown IP, or whatever other indicator send an email with link to login page. Unless email is compromised link should point to real Google login.

Unless attackers compromised your email they will not be able to obtain secret picture.

Yes. But banks use this useless system anyway. :-(

That information would obviusly not be accessible via ANY api. So that would be something only Google private apps have access to.

Doesn't really matter if there is an API for it or not, if Google were to display it prior to you being authenticated (which they would have to for it to have any impact in this sort of attack), it would be fairly trivial for the attack code to (behind the scenes) present themselves as you to Google and then scrape the correct image from Google's response to their request. There are various things Google could do to make this more difficult, like some fancy rendering via canvas or webgl instead of just using a bog standard img tag, but to counter this the attack could just run a headless rendering browser and pixel scrape the resulting image.

Such a verification image makes the MITM attack a bit harder to code, but not really by much, and in the process might introduce an increased false sense of security.

How are they going to get the picture? And even if they do, they can phish one person.

If they have a list of usernames (easy enough to get, or guess), they just have to do an automated series of bulk requests

You're both overthinking it... How would your web browser normally get the picture from Google during a legit login? Something like submit your username to a page and get a picture back? The bad guys would use exactly the same process just with the malicious server as a MITM.

Good point - this would be a very simple way to circumvent it.

Good point, however attack would have to be way more complex.