Full Report
Proton fixed a bug in its new Authenticator app for iOS that logged users' sensitive TOTP secrets in plaintext, potentially exposing multi-factor authentication codes if the logs were shared. [...]
Analysis Summary
# Vulnerability: Proton Authenticator iOS App Leaks TOTP Secrets in Local Logs
## CVE Details
- CVE ID: Not explicitly provided in the source material.
- CVSS Score: Information not available.
- CWE: Likely CWE-598: Use of Sensitive Information in Logging (or similar logging-related weakness).
## Affected Systems
- Products: Proton Authenticator (iOS version)
- Versions: Prior to 1.1.1
- Configurations: Standard use of the application on iOS devices where logging occurs.
## Vulnerability Description
A flaw in the Proton Authenticator application for iOS resulted in Technical One-Time Password (TOTP) secrets being inadvertently written to local application logs. Specifically, when adding or updating a TOTP secret, the function responsible for logging added excessive data, including the secret itself, to a local log entry (`params` variable).
Proton stated that this logging was local only, secrets were not transmitted to the server in plaintext, and sync was end-to-end encrypted. However, any party gaining physical access to the device and extracting these local logs would obtain the TOTP secrets.
## Exploitation
- Status: Not exploited remotely. The risk is localized to device access.
- Complexity: Low (for gaining access to local logs if the device is already compromised or unlocked).
- Attack Vector: Local (requires access to the device storage where logs reside).
## Impact
- Confidentiality: **High**, as sensitive TOTP secrets could be exposed to unauthorized parties who gain access to the device logs.
- Integrity: Low (The vulnerability itself does not affect data integrity, only disclosure).
- Availability: None.
## Remediation
### Patches
- Proton Authenticator iOS version **1.1.1** (Released approximately 7 hours prior to the article).
### Workarounds
- Since the vulnerability involves local device logging, securing the physical device (e.g., strong passcode, bypassing jailbreak/rooting) mitigates the risk that an attacker gaining device access would exploit this.
- Users should avoid sharing local application logs with third parties for troubleshooting unless absolutely necessary, and only after sanitizing them.
## Detection
- **Indicators of compromise:** Direct examination of Proton Authenticator application logs on an iOS device might reveal lines containing sensitive parameters that include TOTP secrets.
- **Detection methods and tools:** Requires forensic or direct file system access to the affected application's local storage on the iOS device to review log contents.
## References
- Vendor Advisory: Proton (fix released in version 1.1.1)
- Relevant Links: bleepingcomputer com/news/security/proton-fixes-authenticator-bug-leaking-totp-secrets-in-logs/