Tag: psa:
PSA: Google Authenticator’s Cloud-Synced 2FA Codes Aren’t End-to-End Encrypted
Prior to the integration of Google Account support, all codes in the Google Authenticator app were stored on device, which meant that if the device was lost, so too were the one-time passcodes, potentially causing loss of account access as well. But it seems that by enabling cloud-based syncing, Google has opened up users to a security risk of a different sort.
“We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted,” said Mysk via Twitter. “This means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.”
“Secrets” is a term used to refer to private pieces of information that act as keys to unlock protected resources or sensitive information; in this case, one-time passcodes.
Mysk said that its tests found the unencrypted traffic contains a “seed” that’s used to generate the 2FA codes. According to the researchers, anyone with access to that seed can generate their own codes for the same accounts and break in to them.
“If Google servers were compromised, secrets would leak,” Mysk told Gizmodo. Since the QR codes involved with setting up two-factor authentication contain the name of the account or service, the attacker can also identify the accounts. “This is particularly risky if you’re an activist and run other Twitter accounts anonymously,” added the researchers.
Mysk subsequently advised users not to enable the Google account feature that syncs 2FA codes across devices and the cloud.
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don’t turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.… pic.twitter.com/a8hhelupZR
— Mysk 🇨🇦🇩🇪 (@mysk_co) April 26, 2023
Responding to the warning, a Google spokesperson told CNET it had added the sync feature early for convenience’s sake, but that end-to-end encryption is still on its way:
End-to-End Encryption (E2EE) is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery. To ensure that we’re offering a full set of options for users, we have also begun rolling out optional E2EE in some of our products, and we plan to offer E2EE for Google Authenticator in the future.”
Until that happens, there are alternative services for syncing authentication codes across devices, such as Apple’s own 2FA code generator and third-party apps like Authy.
This article, “PSA: Google Authenticator’s Cloud-Synced 2FA Codes Aren’t End-to-End Encrypted” first appeared on MacRumors.com
Discuss this article in our forums
PSA: Star Wars Jedi Survivor Spoilers Have Leaked Online
PSA: You can get Google’s flagship for dirt cheap right now
PSA: Make Sure to Update Older Devices to iOS 15.7.4 to Fix Actively Exploited Vulnerability
According to Apple’s release notes for the security update, it addresses a long list of vulnerabilities, including a WebKit vulnerability that was known to be actively exploited. From Apple’s security support document:
Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Note that those running iOS 16 and iPadOS 16 do not need to worry about this exploit as it was previously fixed in iOS 16.3.1. The update also fixes other WebKit vulnerabilities that were not actively exploited, plus it fixes security issues with Calendar, Camera, Find My, and more.
iOS 15.7.4 and iPadOS 15.7.4 are available for all iPhone 6s models, all iPhone 7 models, the first-generation iPhone SE, the iPad Air 2, the fourth-generation iPad mini, and the seventh-generation iPod touch.
This article, “PSA: Make Sure to Update Older Devices to iOS 15.7.4 to Fix Actively Exploited Vulnerability” first appeared on MacRumors.com
Discuss this article in our forums
PSA: The Diablo 4 Beta Preload Is Live
PSA: Don’t Rely on the Google Pixel Watch Alarm
Have a Google Pixel Watch? If you enjoy all the many features on the watch, but notice alarms don’t seem to work right, you’re not alone. Several reports claim Google’s Pixel Watch is late to alert users with an alarm, which is troubling if you’re trying to wake up and get to work.
Read This Article on Review Geek ›
PSA: Sons of the Forest companions can be revived with Notepad
PSA: You Should Be Using a Smart Plug to Restart Your Router
Power-cycling your router and modem to fix connection issues is a hassle. But with an inexpensive smart plug, it doesn’t have to be.
Read This Article on How-To Geek ›
Public Storage (PSA) Q4 2022 Earnings Call Transcript
Public Storage (NYSE: PSA) Q4 2022 earnings call dated Feb. 22, 2023 Corporate Participants: Ryan Burke — Vice President, Investor Relations Joseph D. Russell — President and Chief Executive Officer Tom Boyle — Senior Vice President, […]
The post Public Storage (PSA) Q4 2022 Earnings Call Transcript first appeared on AlphaStreet.