Google Authenticator syncing feature exposes 2FA credentials

Share post:

According to security experts Tommy Mysk and Talal Haj Bakry, a new synchronization function in Google’s Authenticator 2FA software, which allows users to connect into numerous services, has a severe security issue. Mysk found the weakness, which is that “secrets” or credentials exchanged between devices are not end-to-end encrypted, allowing attackers or Google to read the credentials.

Christiaan Brand, Google Group Product Manager, Identity and Security, defended the software, claiming that it shipped as planned. However, because there is no end-to-end encryption, Google can see what services each account owner uses, potentially allowing the company to target personalized ads. Users are also vulnerable to attackers as a result of the bug.

Mysk proposes avoiding this security risk by using the Google Authenticator offline without associating it to a Google account or by not utilizing the syncing option. However, both options eliminate much of the new update’s utility.

In response to the security concerns, Brand claimed that optional end-to-end encryption is currently available in several Google products and that there are plans to offer it in the future for Google Authenticator. Mysk urges users to use the program without the new syncing function until then.

The sources for this piece include an article in TechRepublic.

SUBSCRIBE NOW

Related articles

Hamilton Estimates $52 Million to Rebuild IT Systems After Ransomware Attack

The city of Hamilton plans to spend $52 million over the next three years to rebuild and secure...

Avery Data Breach: Credit Card Skimmer Affects Over 61,000 Customers

Label maker Avery has disclosed a data breach affecting 61,193 customers, caused by a credit card skimmer that...

Scammed Company Ordered to Pay $190k for Fraudulent Invoice Payment

A hacker gained access to Mobius Group’s email system and sent instructions from a legitimate email address, directing...

Sneaky 2FA: A Sophisticated Attack Defeats Both 2FA and Phishing Protections

A new phishing kit, ominously named "Sneaky 2FA," has emerged, targeting Microsoft 365 users by bypassing two-factor authentication...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways