Proton mounted a bug in its new Authenticator app for iOS that logged customers’ delicate TOTP secrets and techniques in plaintext, probably exposing multi-factor authentication codes if the logs had been shared.
Final week, Proton launched a brand new Proton Authenticator app, which is a free standalone two-factor authentication (2FA) utility for Home windows, macOS, Linux, Android, and iOS.
The app is used to retailer multi-factor authentication TOTP secrets and techniques that can be utilized to generate one-time passcodes for authentication on web sites and purposes.
Over the weekend, a consumer posted in a now-deleted Reddit submit that the iOS model was exposing TOTP secrets and techniques within the app’s debug logs discovered beneath Settings > Logs.
“Imported my 2FA accounts, enabled backup and sync, all the things seemed good at first. Sooner or later, after I modified the label on one in all my entries and switched apps briefly,” reads an archive of the submit.
“I got here again to search out that about half of my 2FA entries had been gone. I believe it would’ve occurred after the label edit, however I am not 100% certain. Might’ve been one thing else. Both means, they disappeared with none error or warning.”
“I wished to do the fitting factor and submit a bug report. Whereas making ready it, I opened the log file the app generates, and that is when it went from mildly annoying to deeply regarding. Seems, the log accommodates full TOTP secrets and techniques in plaintext. Sure, together with the one for my Bitwarden account.”
One other commenter famous that the leak stems from code on the iOS app [1, 2] that provides a number of knowledge a few TOTP entry to a params variable, which is then handed to 2 capabilities used for including or updating a TOTP secret on the app.
When that is accomplished, the capabilities may also add this knowledge to a log entry, which exposes the TOTP secret.
Proton confirmed the bug within the iOS model, stating that it’s now mounted in model 1.1.1, launched to the App Retailer roughly 7 hours in the past.
“Secrets and techniques are by no means transmitted to the server in plaintext, and all sync of secrets and techniques is completed with end-to-end encryption. Logs are native solely (by no means despatched to the server), and these secrets and techniques can be exported in your gadget to satisfy GDPR knowledge portability necessities,” Proton instructed BleepingComputer.
“In different phrases, even when this was not within the logs, anyone who has entry to your gadget to get these logs, would nonetheless be capable to acquire the secrets and techniques. Proton’s encryption can’t shield towards gadget aspect compromise, so you have to all the time safe your gadget as that’s outdoors of our risk mannequin.”
“We’ve got up to date the iOS app to alter the logging conduct, however this is not a vulnerability that may be exploited by an attacker, and if the attacker has entry to your gadget to entry the native logs, they’ll in any case be capable to acquire the secrets and techniques, and there’s nothing Proton (or any 2FA app) can do to stop that.”
Whereas this log knowledge cannot be exploited remotely, the priority was that if the logs had been shared or posted anyplace to assist diagnose a problem or bug, it will additionally expose the delicate TOTP secret to a 3rd occasion.
These secrets and techniques may then be imported to a different Authenticator to generate one-time passcodes for that account.
Malware concentrating on password shops surged 3X as attackers executed stealthy Excellent Heist eventualities, infiltrating and exploiting vital techniques.
Uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and how you can defend towards them.
