Shubham Shah found a major flaw in the 2-step authentication that was used in many popular services such as Google, Facebook, Yahoo, and LinkedIn.

Short version is that he could get the code sent to the phone's voicemail by forcing the victim's phone to go voicemail by calling them. Then, he would hack into that person's voicemail. Of course, this means he would have to know the person's password and how to access the victim's voicemail.

How hard is it to access someone's voicemail? Well, it depends on the person's voicemail settings. If they haven't changed their voicemail passcode, it could be as simple as calling them until you get to their voicemail and entering the passcode to listen to voicemail. Another way is spoofing, where they access the voicemail by pretending to have the victim's number.

The lesson here is to change your voicemail passcode and require the passcode to be entered when attempting to listen to your voicemail.

Thankfully, Facebook and LinkedIn have disabled the ability to get your 2-step authentication code through voice. Google has given the user the option of disabling it. Yahoo, disappointingly, has done nothing about it...

I wonder how hard it would be to intercept text messages...