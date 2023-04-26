



Security researchers have found that Google’s new two-factor authentication tool isn’t end-to-end encrypted, potentially exposing users to significant security risks.

Google’s Authenticator app provides a second layer of security in addition to your password, a unique code that is required when logging into websites. On Monday, Google announced a long-awaited feature. This allows you to sync your Authenticator to your Google account and use it on multiple devices. This is good news, because in the past, if you lost your phone with an authenticator app installed, you could be locked out of your account.

But when app developers and security researchers at software company Mysk looked inside, they found that the underlying data was not end-to-end encrypted.

We tested this feature as soon as Google released it. We’ve noticed that the app doesn’t prompt or give you the option to use a passphrase to protect your secrets, the company wrote on Twitter.

Analysis of network traffic when the app syncs secrets revealed that the traffic was not end-to-end encrypted, the company added. As you can see in the screenshot, this means Google can see your secrets even if they are stored on your server. In the security community, a secret is a term that refers to a credential that acts as a key to unlock an account or tool.

Google Authenticator can be used without being associated with a Google Account or synced across devices, thus avoiding this issue. Unfortunately, this means it might be best to avoid the convenience feature the user has been asking for for years: in short, syncing his 2FA secrets across devices is useful, but , privacy is sacrificed. For now, we recommend using the app without the new sync feature.

Google did not immediately respond to requests for comment.

In our testing, we found that unencrypted traffic contained a seed that was used to generate a two-factor authentication code. According to Tommy Mysk, one of the researchers who discovered the problem, anyone with access to that seed can generate a unique code for your account to break in.

Mysk told Gimodo that secrets would be leaked if Google servers were compromised. Even more insulting, his QR code associated with setting up two-factor authentication also includes the name of the account or service (such as Amazon or Twitter). Attackers can also see what accounts you have, which is especially dangerous if you’re an activist and you run her other Twitter accounts anonymously.

But cybercriminals aren’t the only ones to worry about. Google or Google staff can access this data, Mysk said.

Unencrypted means Google can theoretically see the data and know what apps and services you’re using. This serves a variety of purposes, including targeted advertising. Allowing a data-hungry tech giant like Google to create a graph of every account and service each user has is not a good idea, Mysk said.

The problem is surprising given Google’s history of using similar tools. Google has a vaguely similar feature that lets you sync data from Google Chrome across devices. So the company gives users the option to set a password to protect that data, keeping it out of Google’s prying eyes and protecting it from third parties who might intercept it. .

2FA secrets are considered sensitive data, just like passwords. Google already supports passphrases for syncing Chrome data. As such, he expected 2FA secrets to be treated the same way, Mysk said.

So far, Google has not announced any plans to add password protection to the authenticator’s sync feature.

