Proton has fixed a bug in the iOS version of its Authenticator app that logged users’ sensitive TOTP secrets in plaintext, potentially exposing 2FA codes if the logs were shared.
A Proton Authenticator user discovered the bug on social media. He was experiencing a different bug in the 2FA app that caused some 2FA entries to disappear.
“Imported my 2FA accounts, enabled backup and sync, everything looked good at first. At some point, after I changed the label on one of my entries and switched apps briefly, I came back to find that about half of my 2FA entries were gone,” the user posted in a now-deleted Reddit post.
Reddit’s moderation team removed the post for being too specific to a company or single product.
The user goes on to say he wanted to file a bug report about this, including the authenticator app’s log files. When he opened the app's log file, he discovered that it contained the full TOTP secrets in plaintext.
Time-based one-time password (TOTP) secrets consist of a series of numbers and letters that act as a key, enabling users to generate 2FA codes for a specific account. An attacker who has a TOTP secret can use it to generate new, valid 2FA codes for the associated account. That’s why you can’t just share TOTP secrets, or why they can’t be stored in plaintext.
Since the bug came to light, Proton has resolved the issue. The Switzerland-based tech company has called it “an oversight” in its iOS app, as it should only log the entry ID and not the TOTP secret.
The company stresses that secrets are never transmitted to the server in plaintext, and all syncing of secrets is done with end-to-end encryption.
“Logs are local only (never sent to the server), and these secrets can also be exported on your device to meet GDPR data portability requirements. In other words, even if this was not in the logs, somebody who has access to your device to get these logs would still be able to obtain the secrets. Proton’s encryption cannot protect against device-side compromise, so you must always secure your device,” Proton says on Reddit.
Proton released its Authenticator app last week as a privacy-friendly alternative to 2FA apps from companies like Google and Microsoft. The service is available for Android, iOS, Windows, macOS, and Linux. You don’t need a Proton account to use Proton Authenticator.
Your email address will not be published. Required fields are markedmarked