I'm the one that wrote: http://seclists.org/bugtraq/2010/Sep/160
Yes, I'm aware that it's once per lifetime of the device vulnerability, and is non-trivial to exploit.
Write up: https://docs.google.com/document/edit?id=1pf-YCgUnxR4duE8tr-xulE3rJ1Hw-Bm5aMk5tNOGU3E&hl=en
Example brute force search routine: https://docs.google.com/leaf?id=0B2-D6gXVjLJ-ODExOWRhZDItMTE1MC00NDU5LThmMDAtYTZlZDVhNzUxOTRi&hl=en
Another interesting conclusion to draw from the design documents is that the Mobile Authenticator Application
is far from a perfect two factor authentication scheme. There's code in the wild that lets you pull out the SN/Secret Key
pair from existing installations reducing it to "Something you know" (Your password) and "Something you know"
(SN/Secret Key pair), which should be unique to the device (to serve as "Something you have").
Addendum 2011-11-11: It looks like they are discontinuing support for the application that I wrote this advisory for. Since I had some cycles available I disassembled the Android version, and it looks like while the protocol used is identical, they are using a cryptographically secure PRNG during initialization so the process should be secure.