Proton fastened a bug in its new Authenticator app for iOS that logged customers’ delicate TOTP secrets and techniques in plaintext, doubtlessly exposing multi-factor authentication codes if the logs have been shared.
Final week, Proton launched a brand new Proton Authenticator app, which is a free standalone two-factor authentication (2FA) utility for Home windows, macOS, Linux, Android, and iOS.
The app is used to retailer multi-factor authentication TOTP secrets and techniques that can be utilized to generate one-time passcodes for authentication on web sites and purposes.
Over the weekend, a person posted in a now-deleted Reddit submit that the iOS model was exposing TOTP secrets and techniques within the app’s debug logs discovered below Settings > Logs.
“Imported my 2FA accounts, enabled backup and sync, every part regarded good at first. Sooner or later, after I modified the label on certainly one of my entries and switched apps briefly,” reads an archive of the submit.
“I got here again to seek out that about half of my 2FA entries have been gone. I feel it’d’ve occurred after the label edit, however I am not 100% positive. Might’ve been one thing else. Both method, they disappeared with none error or warning.”
“I needed to do the appropriate factor and submit a bug report. Whereas making ready it, I opened the log file the app generates, and that is when it went from mildly annoying to deeply regarding. Seems, the log comprises full TOTP secrets and techniques in plaintext. Sure, together with the one for my Bitwarden account.”
One other commenter famous that the leak stems from code on the iOS app [1, 2] that provides lots of knowledge a few TOTP entry to a params variable, which is then handed to 2 capabilities used for including or updating a TOTP secret on the app.
When that is completed, the capabilities will even add this knowledge to a log entry, which exposes the TOTP secret.
Proton confirmed the bug within the iOS model, stating that it’s now fastened in model 1.1.1, launched to the App Retailer roughly 7 hours in the past.
“Secrets and techniques are by no means transmitted to the server in plaintext, and all sync of secrets and techniques is finished with end-to-end encryption. Logs are native solely (by no means despatched to the server), and these secrets and techniques can be exported in your system to satisfy GDPR knowledge portability necessities,” Proton advised BleepingComputer.
“In different phrases, even when this was not within the logs, any person who has entry to your system to get these logs, would nonetheless have the ability to get hold of the secrets and techniques. Proton’s encryption can’t shield towards system aspect compromise, so you will need to at all times safe your system as that’s exterior of our risk mannequin.”
“We’ve got up to date the iOS app to vary the logging habits, however this is not a vulnerability that may be exploited by an attacker, and if the attacker has entry to your system to entry the native logs, they are going to anyhow have the ability to get hold of the secrets and techniques, and there’s nothing Proton (or any 2FA app) can do to stop that.”
Whereas this log knowledge cannot be exploited remotely, the priority was that if the logs have been shared or posted anyplace to assist diagnose a problem or bug, it could additionally expose the delicate TOTP secret to a 3rd celebration.
These secrets and techniques might then be imported to a different Authenticator to generate one-time passcodes for that account.
Malware concentrating on password shops surged 3X as attackers executed stealthy Good Heist eventualities, infiltrating and exploiting crucial techniques.
Uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and how you can defend towards them.
