Researchers find loophole in Google's two-factor authentication