Proton fixed a bug in its new authentic app for iOS, in which the planette was logged on to users’ sensitive TOTP secrets, if the logs were shared, the potentially high-faced authentication code.
Last week, Proton released a new proton authenticator app, which is a free standalone to-factor authentication (2FA) application for Windows, McOS, Linux, Android and iOS.
The app is used to store multi-factor authentication TOTP secrets, which can be used to generate one-time passcode for authentication on websites and applications.
In the weekend, a user posted Now removed redit post That iOS version was exposing the TOTP secret in the dibg log of the app setting , Logs,
“My 2FA accounts were imported, backup and sink, everything looked good first. At some point, I replaced the label on one of my entries and briefly turned the apps,” one reads Arithmetic Posted.
“I came back to know that almost half of my 2FA entries went away. I think it may have happened after label edit, but I am 100% sure. Something else can happen. Somehow, in any way, they disappeared without any error or warning.”
“I wanted to do the right thing and submit a bug report. While preparing it, I opened the log file that generates the app, and when it was lightly related to the depth. Remember, the planet in the log includes full TOTP secrets in the planetxt. Yes, there is a single for my bitterdon account.”
Another commentator said that the leak is stems from the code on the iOS app (1, 2) This adds too much data about TOTP entry into a params variable, which is then passed in two tasks used to add or update the TOTP secret on the app.
When this is done, the functions will also add this data to a log entry, which exposes the TOTP secret.
Proton confirmed the bug in the iOS version, saying that it is now fixed in the version 1.1.1, has been released on the app store about 7 hours ago.
“Mystery is never transmitted to the server in the plaintext, and all the sinks of all the mysteries are done with end-to-end encryption. Loggies are only local (never sent to the server), and these mysteries can also be exported to meet the GDPR data portability requirements on your device,” the proton was also exported.
“In other words, even though it was not in the log, someone has access to your device to get these logs, will still be able to receive the secret. Proton’s encryption device cannot protect the side agreement, so you should always secure your device as it is out of our threat model.”
“We have updated the iOS app to change the logging behavior, but it is not a vulnerability that can be exploited by the attacker, and if the attacker has access to your device to reach the local log, they will be able to get the secret anyway, and there is nothing (or any 2FA app) to stop it.”
Although this log data cannot be exploited remotely, the concern was if the log was shared or posted anywhere to help to help diagnose an issue or bug, it would also highlight a third party sensitive TOTP secret.
These mysteries can be imported to another authent to generate passcode of a bar for that account.
Malware targeting password stores increased 3x as the attackers secretly carried out the perfect history landscape, infiltrated and exploited important systems.
Search for the top 10 Metter Att & CK techniques behind the 93% attacks and how to defend them.
