Proton recently launched its new standalone Proton Authenticator app, a free two-factor authentication (2FA) tool available on various platforms including Windows, macOS, Linux, Android, and iOS. The app’s purpose is to securely store multi-factor authentication TOTP secrets. These secrets are used to generate the one-time passcodes necessary for logging into websites and applications. The goal of the app is to provide a secure and simple way for users to manage their 2FA, but a critical flaw was discovered in the initial iOS release.
A user on Reddit reported a significant issue with the iOS version of the app. The user found that after making a minor change to an entry, some of their 2FA accounts disappeared. While trying to report this bug, they opened the app’s debug logs and made a troubling discovery: the logs contained their full TOTP secrets in plaintext. This included the secret for their Bitwarden account. This finding turned a simple bug report into a serious security concern, as sharing these logs for troubleshooting purposes would directly expose sensitive authentication data.
Another user who commented on the Reddit post provided more detail on the issue. They noted that the vulnerability stemmed from the iOS app’s code, which passed a large amount of data—including the TOTP secret—to a logging function. This function was meant to help with debugging but unintentionally captured and stored the sensitive secret in the app’s local logs. This meant that the log file, which is accessible to anyone with physical access to the device, became a repository for the plaintext secrets.
The issue wasn’t a remote attack vector but a problem of improper data handling within the app itself.
Proton quickly acknowledged the bug, explaining that the secrets were only stored locally and never transmitted to their servers. They also clarified that while the logging behavior was a mistake, it didn’t create a remote vulnerability. Proton stated that if an attacker had enough access to a user’s device to retrieve these local logs, they could likely obtain the secrets through other means as well. Despite this, Proton recognized the risk of a user unknowingly sharing these logs and compromising their own security.
To address the issue, Proton released version 1.1.1 of the iOS app, which modifies the logging behavior to prevent TOTP secrets from being stored in plaintext. This update ensures that even if a user shares their local logs to report a bug, their authentication secrets will not be compromised. While the app’s end-to-end encryption and server-side security were not affected, this patch was a necessary step to protect users from a potential self-inflicted compromise and to restore confidence in the security of the new Proton Authenticator.
Reference:
