Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices. Mysk subsequently advised users not to enable the Google account feature that syncs 2FA codes across devices and the cloud. "This is particularly risky if you're an activist and run other Twitter accounts anonymously," added the researchers. Since the QR codes involved with setting up two-factor authentication contain the name of the account or service, the attacker can also identify the accounts. "If Google servers were compromised, secrets would leak," Mysk told Gizmodo. According to the researchers, anyone with access to that seed can generate their own codes for the same accounts and break in to them. Mysk said that its tests found the unencrypted traffic contains a "seed" that's used to generate the 2FA codes. " Secrets" is a term used to refer to private pieces of information that act as keys to unlock protected resources or sensitive information in this case, one-time passcodes. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user." "This means that Google can see the secrets, likely even while they're stored on their servers. "We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted," said Mysk via Twitter. But it seems that by enabling cloud-based syncing, Google has opened up users to a security risk of a different sort. Prior to the integration of Google Account support, all codes in the Google Authenticator app were stored on device, which meant that if the device was lost, so too were the one-time passcodes, potentially causing loss of account access as well. Now an examination by Mysk security researchers has found that the sensitive one-time passcodes being synced to the cloud aren't end-to-end encrypted, leaving them potentially exposed to bad actors. Earlier this week, Google updated its Authenticator app to enable the backup and syncing of 2FA codes across devices using a Google Account.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |