Geeks for your information News Software & Services News v
Google Authenticator's mysterious security update does not enable end-to-end encrypti
Google Authenticator's mysterious security update does not enable end-to-end encrypti
harlan4096 Offline
MalWare Zoo Team
*******
Posts: 14,540
Threads: 9,564
Thanks Received: 9,054 in 7,204 posts
Thanks Given: 9,838
Joined: 12 September 18
#1
Exclamation  26 May 23, 08:33
Quote:Google has released a new update for its Google Authenticator application. The changelog reveals that Google "added device encryption to storage of secret value". Users who have hoped that Google would integrate end-to-end encryption to the application will be disappointed, as this is still not the case.

Google Authenticator was updated about a month ago. The main new feature that Google integrated into the application was two-factor authentication syncing. The applications syncs the stored data with a user's other devices, when turned on.

[Image: How-to-set-up-sync-in-google-authenticator-app.jpg]

While that sounds like a good usability improvement, as it means that users do not have to set up the functionality on all their devices manually, it turned out that Google did not implement end-to-end encryption of the data. In other words: attackers, for instance by using man-in-the-middle attacks, may read the secrets; this would give them access to the codes generated. A secret, or seed, is used to generate one-time codes for specific services or apps.

We advised Google Authenticator users to keep the feature turned off, or use a different authenticator application instead. End-to-end encryption encrypts the data on the user's device, so that sensitive information are protected.

The latest changelog of Google's Authenticator app suggests that Google has integrated the feature into the app. Tests, by the German Heise publisher, and confirmed by us, do not confirm the change. The changelog message, Added device encryption to storage of secret values, must mean something else then, but it is unclear what it does exactly.

Accounts added to Google Authenticator are synced to the cloud using TLS encryption. An inspection of the data reveals that the seeds are still Base32 encoded. Base32 can be decoded easily. Proper end-to-end encryption would not reveal any seed data, or any other data for the matter, thanks to the use of encryption.

Google Authenticator users should keep the cloud syncing functionality of the application turned off as a consequence.
...
Continue Reading
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
GFYI [Official] HitmanPro.Alert Mother'...
"Share feedback...jAcos — 20:15
GFYI [Official] Master PDF Editor Mothe...
"Share feedback...jAcos — 20:07
Brave 1.78.97
Release Channel 1....harlan4096 — 10:42
F-Secure v25.4
FSecure Knowledge ...harlan4096 — 10:41
Intel addresses 13/14th Gen Core “Raptor...
Intel has new micr...harlan4096 — 10:26

[-]
Birthdays
Today's Birthdays
avatar (38)omapek
avatar (47)Geraldtuh
Upcoming Birthdays
avatar (27)akiratoriyama
avatar (47)Jerrycix
avatar (39)awedoli
avatar (81)WinRARHowTo
avatar (37)owysykan
avatar (48)beautgok
avatar (38)axuben
avatar (44)talsmanthago
avatar (30)mocetor
avatar (45)piomaibhaict
avatar (50)kingbfef
avatar (37)izenesiq
avatar (39)ihijudu
avatar (44)tiojusop
avatar (41)Damiennug
avatar (39)acoraxe
avatar (48)contjrat
avatar (40)axylisyb
avatar (43)tukrublape
avatar (43)knigiJow
avatar (45)1stOnecal
avatar (49)Mirzojap
avatar (35)idilysaju
avatar (39)GregoryRog
avatar (44)mediumog
avatar (39)odukoromu
avatar (45)Joanna4589

[-]
Online Staff
There are no staff members currently online.

>