Proton fixed a bug in its new Authenticator app for iOS that logged users' sensitive TOTP secrets in plaintext, potentially exposing multi-factor authentication codes if the logs were shared.
Last week, Proton released a new Proton Authenticator app, which is a free standalone two-factor authentication (2FA) application for Windows, macOS, Linux, Android, and iOS.
The app is used to store multi-factor authentication TOTP secrets that can be used to generate one-time passcodes for authentication on websites and applications.
Over the weekend, a user posted in a now-deleted Reddit post that the iOS version was exposing TOTP secrets in the app's debug logs found under Settings > Logs.
"Imported my 2FA accounts, enabled backup and sync, everything looked good at first. At some point, after I changed the label on one of my entries and switched apps briefly," reads an archive of the post.
"I came back to find that about half of my 2FA entries were gone. I think it might've happened after the label edit, but I'm not 100% sure. Could've been something else. Either way, they disappeared without any error or warning."
"I wanted to do the right thing and submit a bug report. While preparing it, I opened the log file the app generates, and that's when it went from mildly annoying to deeply concerning. Turns out, the log contains full TOTP secrets in plaintext. Yes, including the one for my Bitwarden account."
Another commenter noted that the leak stems from code on the iOS app [1, 2] that adds a lot of data about a TOTP entry to a params variable, which is then passed to two functions used for adding or updating a TOTP secret on the app.
TOTP secret passed to 'params' variable which is added to logs
When this is done, the functions will also add this data to a log entry, which exposes the TOTP secret.
... continue reading