Proton mounted a bug in its new Authenticator app for iOS that logged customers’ delicate TOTP secrets and techniques in plaintext, probably exposing multi-factor authentication codes if the logs have been shared.
Final week, Proton launched a brand new Proton Authenticator app, which is a free standalone two-factor authentication (2FA) utility for Home windows, macOS, Linux, Android, and iOS.
The app is used to retailer multi-factor authentication TOTP secrets and techniques that can be utilized to generate one-time passcodes for authentication on web sites and purposes.
Over the weekend, a consumer posted in a now-deleted Reddit publish that the iOS model was exposing TOTP secrets and techniques within the app’s debug logs discovered below Settings > Logs.
“Imported my 2FA accounts, enabled backup and sync, the whole lot regarded good at first. Sooner or later, after I modified the label on considered one of my entries and switched apps briefly,” reads an archive of the publish.
“I got here again to search out that about half of my 2FA entries have been gone. I feel it’d’ve occurred after the label edit, however I am not 100% positive. Might’ve been one thing else. Both manner, they disappeared with none error or warning.”
“I wished to do the best factor and submit a bug report. Whereas making ready it, I opened the log file the app generates, and that is when it went from mildly annoying to deeply regarding. Seems, the log incorporates full TOTP secrets and techniques in plaintext. Sure, together with the one for my Bitwarden account.”
One other commenter famous that the leak stems from code on the iOS app (1, 2) that provides a whole lot of information a few TOTP entry to a params variable, which is then handed to 2 features used for including or updating a TOTP secret on the app.
TOTP secret handed to ‘params’ variable which is added to logs
When that is performed, the features will even add this information to a log entry, which exposes the TOTP secret.
Proton confirmed the bug within the iOS model, stating that it’s now mounted in model 1.1.1, launched to the App Retailer roughly 7 hours in the past.
“Secrets and techniques are by no means transmitted to the server in plaintext, and all sync of secrets and techniques is completed with end-to-end encryption. Logs are native solely (by no means despatched to the server), and these secrets and techniques will also be exported in your system to satisfy GDPR information portability necessities,” Proton advised BleepingComputer.
“In different phrases, even when this was not within the logs, anyone who has entry to your system to get these logs, would nonetheless be capable of get hold of the secrets and techniques. Proton’s encryption can not shield towards system facet compromise, so you need to at all times safe your system as that’s outdoors of our menace mannequin.”
“We have now up to date the iOS app to vary the logging conduct, however this is not a vulnerability that may be exploited by an attacker, and if the attacker has entry to your system to entry the native logs, they’ll anyhow be capable of get hold of the secrets and techniques, and there’s nothing Proton (or any 2FA app) can do to stop that.”
Whereas this log information cannot be exploited remotely, the priority was that if the logs have been shared or posted wherever to assist diagnose a problem or bug, it could additionally expose the delicate TOTP secret to a 3rd occasion.
These secrets and techniques may then be imported to a different Authenticator to generate one-time passcodes for that account.
Malware focusing on password shops surged 3X as attackers executed stealthy Good Heist situations, infiltrating and exploiting important programs.
Uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and how one can defend towards them.
