A new update for the Google Authenticator app has drawn criticism from developers for allegedly opening users up to privacy and security violations.
Earlier this week, Google rolled out an update for Android and iOS allowing users to back up their one-time authentication codes to the cloud, but researchers have noted that the network traffic for this process is not end-to-end encrypted.
Security researcher and programmer duo, speaking from the single online handle of Mysk, alleged that without proper encryption, users’ two-factor authentication (2FA) secrets could be viewed by Google or potentially accessed by threat actors.
“Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes,” the researchers tweeted.
“If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised.”
Mysk also stated that as 2FA QR codes contain data relating to the name of the service to which they relate, Google could access this data to serve users personalized ads.
Security analyst Graham Cluely echoed Mysk’s findings, saying “you shouldn't enable the feature as Google hasn't implemented it in a way that properly defends your security”.
RELATED RESOURCE
The feature has been long requested, and Google said it has added it in acknowledgment of the frustration some users felt with one device being tied to crucial accounts.
“One major piece of feedback we’ve heard from users over the years was the complexity in dealing with lost or stolen devices that had Google Authenticator installed,” wrote Christiaan Brand, group product manager at Google in a blog post.
“Since one-time codes in Authenticator were only stored on a single device, a loss of that device meant that users lost their ability to sign in to any service on which they’d set up 2FA using Authenticator.”
With the new update, users will be able to access one-time codes again on a new phone once they have signed into the Authenticator app using their Google account.
Google Authenticator will automatically backup codes to the cloud, though users are able to use the app without a Google account.
Microsoft had already allowed cloud backups on Microsoft Authenticator, and its documentation page has outlined the extent to which keys sent to the cloud are encrypted with AES-256.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Foreign AI model launches may have improved trust in US AI developers, says Mandiant CTO – as he warns Chinese cyber attacks are at an “unprecedented level”News Concerns about enterprise AI deployments have faded due to greater understanding of the technology and negative examples in the international community, according to Mandiant CTO Charles Carmakal.
-
Adopting more security tools doesn't keep you safe, it just overloads your teamsNews Security tool sprawl makes it harder to manage environments and overwhelms teams
-
Google’s Big Sleep AI model just found a zero-day vulnerability in the wild — but don’t hold your breath for game-changing AI bug hunting tools any time soonNews Google clarified it was the first undiscovered memory safety bug to be flagged by an AI agent, touting this as a significant step in using AI for vulnerability research
-
Australia and Google turn to AI to protect critical infrastructureNews Australia's CSIRO partners with Google to develop homegrown AI security tools for infrastructure
-
Google Workspace just got a slew of new zero trust features to help supercharge user security – here's what you need to knowNews New Zscaler integrations across Chrome Enterprise, Google Workspace, and Google Security Operations aim to enhance enterprise security and access
-
Google says Microsoft can’t be trusted after email security blunders
News Google has fired a broadside at Microsoft amid concerns over the tech giant's repeated security blunders
-
Google forced to delete billions of incognito browsing records after privacy controversyNews Google has agreed to delete data it gained improperly through its private browsing function
-
Google spent $10 million on bug bounty payouts last year — here's what flaws researchers uncoveredNews Google’s Vulnerability program paid rewards to 600 researchers in 2023, with Android flaws earning a third of the total
