Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Google Android Security

Google Could Have Fixed 2FA Code-Stealing Flaw in Authenticator App Years Ago (zdnet.com) 30

An anonymous reader shares a report: Last month, a cybersecurity firm discovered the first-ever Android malware that came with the capability to steal the 2FA (two-factor authentication) codes generated by the Google Authenticator app. The malware, discovered by researchers from ThreatFabric, was named Cerberus, and its 2FA OTP code-stealing feature was still under development, yet to have been detected in a real-world attack. According to researchers, the malware was a hybrid between a banking trojan and a remote access trojan (RAT).

Once an Android user got infected, the hacker would use the malware's banking trojan features to steal credentials for mobile banking apps. If an account was protected by 2FA, and namely by the Google Authenticator app, the malware was designed to allow the Cerberus gang to connect to a user's device manually, via its RAT features. Hackers would then open the Authenticator app, generate one-time passcodes, take a screenshot of the codes, and then access the user's account. [...] Nightwatch researchers said that Google could have fixed this issue as early as October 2014, when this misconfiguration was first brought to its attention by someone on GitHub.

This discussion has been archived. No new comments can be posted.

Google Could Have Fixed 2FA Code-Stealing Flaw in Authenticator App Years Ago

Comments Filter:
  • still not fixed? (Score:5, Interesting)

    by hraponssi ( 1939850 ) on Saturday March 07, 2020 @07:29AM (#59805890)

    So if I understand correctly this is still not fixed?

    iphone version:
    https://github.com/google/goog... [github.com]

    android version:
    https://github.com/google/goog... [github.com]

    Both are in open status. Only years ago someone working on it seem to have posted this fix in their own comments but never fixed it.. Maybe it doesn't sell ads, but Google should be able to do a bit better..

    • How do you suggest they fix this? The user has to install some random crap,then ignore all the screen recording warnings
      • Re: (Score:2, Insightful)

        by Anonymous Coward
        Security-conscious programs on Windows, like KeePass, avoid screen captures sniffing passwords by blitting direct to the screen buffer whenever they need to be shown instead of drawing them to the form's canvas through normal WM_PAINT events. Surely Android and iOS, from such great privacy-focused advocates, are advanced enough to have similar mechanisms?
      • Re: still not fixed? (Score:5, Interesting)

        by Sethra ( 55187 ) on Saturday March 07, 2020 @07:55AM (#59805904)

        The Android OS allows apps to protect their users by blocking other apps from screenshotting their content. This is done by adding a "FLAG_SECURE" option inside the app's configuration.
        Google did not add this flag to Authenticator's app, despite the fact that the app was handling some pretty sensitive content.

        The question becomes WHY have they not done this. Despite being warned for years, despite it being a simple patch, it was deliberately not done.

        • > The question becomes WHY have they not done this. Despite being warned for years, despite it being a simple patch, it was deliberately not done.

          Cui bono? Spooks (and other criminals).

          Use a third-party authenticator app from a developer who has incentives to do it right, and didn't get started with InTelQ money. And doesn't have a CEO from the CFR.

        • I cut the authenticator team some slack here, because Android permissions are a complex mess. Do you feel like you understand them well enough to make your apps secure? I don't.

          I DO blame the Android permissions team for this nonsense though, because they're just an ad-hoc mess, driven by feature requests, rather than fitting into any kind of rational design. A permissions system needs to be well thought out and well defined. That means a programmer using the system can understand what the various permiss
        • Why have they not done this? Because it is pointless. If the device is already compromised then you can just as easily copy the key used to generate the OTP.

          Once the device is in the attackers physical possession OR the attacker can run code on the device, there can be no defense.

          • by Junta ( 36770 )

            Well, in this specific case, there is a mitigation designed for precisely this that an app can readily opt into, if they know of the setting.

            Now if we were in a different platform or the capability to block screenshots completely did not exist, I'd agree this is silly. After all, it requires that the target sideload and also ignore very clear prompts for the 'attack' to work. But the mechanism is there so might as well use it.

    • by AmiMoJo ( 196126 )

      I just tested it on my phone and can confirm that I was able to screenshot the Authenticator app.

      I've been thinking about moving away from it for a while anyway. Keepass can be used with TOTP on desktop and Android, and I've been meaning to get a YubiKey or similar for a while anyway. The main issue with Google Authenticator (apart from this flaw) is that you can't export the secrets from it so you can't easily switch to a new phone or device, you have to go round each site generating new secrets.

      • Other apps will sync the private keys securely. It's bad opsec for me to post the one I use but look for that and have a backup device on once in a while. You can get oldish Android devices for free practically so there's no excuse for a nerd to not have a backup, really.

        I was originally burned and went looking for one that syncs in response.

        The other thing you can do is to screenshot the initial QR code you see and store it in your password manager.

      • by Anonymous Coward
        All you have to do is put the secret into your backup device at the get-go rather than trying to extract the keys from your phone later. If your backup device is a Linux computer you can use a command-line program where you can extract the secrets if you wish. Since the Linux computer is a backup you can use a very long passphrase to encrypt the secrets and you can make it a computer you don't normally use (e.g. a Raspberry Pi normally kept off the network).
  • No one Cares about Security.

    We just fucking don't. From the consumers that constantly buy and use compromised devices to the businesses that constantly produce security functions on them... you can tell a consumer that a device is not secure and they will still buy it. You can tell a business that a device is not secure and they will still fucking use it! I have personally been in such scenarios... and more than a few times.

    We just do not fucking care! Compound that with the fact that most people and m

  • > The malware, discovered by researchers from ThreatFabric, was named Cerberus

    Not to be confused with the myriad apps named Cerberus...

  • Why does a flaw NOT exist if it isn't detected?

  • Just enough of the intelligence services bidding to keep us suspicious.

    Crazy they new about it for ~6 years and didn't do anything, alot of their users important stuff in the world is protected by this.
  • I don't use Android apps to store data. You don't have to be an IT guru to understand that this mass could sooner or later lead to data theft and hacking. each company for business orders the development of software exclusively for its own needs and tries to create several degrees of protection. helps in finding patch management vulnerability https://www.action1.com/ [action1.com]. This helps you detect and installed Windows updates and fixes in real time
  • is Yubico Authenticator. It's TOTP, just like Google Auth and is fully compatible with sites that support Google Auth. The best part is, codes don't appear unless you plug your yubikey into your phone. You can even require some entries to require a yubikey touch before the code is displayed. And to save the best part for last, nothing sensitive is ever stored on your phone itself. You can even plug your yubikey in a different phone and all your codes appear.

    At the end of the day, U2F is better than TOT

    • Thanks Yubikey salesman! Problem is, almost no sites support U2F. The ones that did, like Paypal for instance, pulled support for it long ago and replaced it with SMS 2FA. That alone just goes to show, no one is interested in real security. They'd rather have your phone number
      • Considering all the simjacking going on, this was an incredibly stupid move by Paypal. The good news is that paypal is in the minority, most sites that support 2FA use TOTP or U2F and sites that don't yet support 2FA will use one of these methods when they do. I would say that about 25% of all the sites I log into use U2F and the number is only growing.

      • Comment removed based on user account deletion
  • How are these people not testifying before Congress, much less in jail?

  • Google Authenticator assumes that the only person who uses your phone is you, and thus gives up its 2FA codes with no further hassles. In other words, the phone's security acts as Authenticator's security. Meaning someone who has hacked your phone so they can remotely access it, can run Authenticator without any problems. More mundanely, anybody you hand your phone to while it's unlocked (say, so they can read an interesting slashdot post you found) can run Authenticator and get a 2FA code good for 30 sec
    • The iOS app "OTP Auth" has a option that requires TouchID/FaceID before granting access to the one-time codes. I believe that's on by default, but it's been a while since I installed the app so I could be mistaken.

      The underlying protocol is open, so there's no reason anyone has to use Google Authenticator unless they choose to - regardless of the fact that some sites specifically mention Google's app (I assume because it's the best known).

  • OneDrive 2FA doesn't require a phone number, so gDrive 2FA is mostly means to link a real name to an account.

    Google Authenticator demands access to the internet and account names: Anyone who doesn't equate that to spyware, isn't trying to keep privacy.

  • And can even be used for Google account authentication

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...