A bug in the iOS app left sensitive TOTP data in plain text on the device.
Proton has resolved a vulnerability in the iOS version of its new Authenticator app. The flaw caused sensitive TOTP codes (Time-based One-Time Password) for 2FA to be written in plain text in log files. The issue has been fixed in version 1.1.1 of the app.
Sensitive Information in Log Files
A Reddit user noticed the bug when 2FA accounts disappeared from the app after editing a label. Upon reviewing the generated log files, he discovered that the secret authentication codes, such as those for sensitive services like Bitwarden, were visible in the log file on the device.
The issue was caused by a function in the iOS code that added the TOTP data to a variable. That variable was then automatically written to local logs as plain text.
Resolved in the Meantime
Proton emphasizes to BleepingComputer that the logs are never sent to their servers and that all code synchronization is end-to-end encrypted. However, the log file poses a risk if users inadvertently share it during a bug report or support process.
The vulnerability could not be exploited remotely. However, malicious actors with physical access to the device could easily read the secret codes. Proton has adjusted the logging to prevent this behavior.
read also