Google Could Have Fixed 2FA Code-Stealing Flaw in Authenticator App Years Ago

An anonymous reader shares a report: Last month, a cybersecurity firm discovered the first-ever Android malware that came with the capability to steal the 2FA (two-factor authentication) codes generated by the Google Authenticator app. The malware, discovered by researchers from ThreatFabric, was named Cerberus, and its 2FA OTP code-stealing feature was still under development, yet to have been detected in a real-world attack. According to researchers, the malware was a hybrid between a banking trojan and a remote access trojan (RAT).

Once an Android user got infected, the hacker would use the malware's banking trojan features to steal credentials for mobile banking apps. If an account was protected by 2FA, and namely by the Google Authenticator app, the malware was designed to allow the Cerberus gang to connect to a user's device manually, via its RAT features. Hackers would then open the Authenticator app, generate one-time passcodes, take a screenshot of the codes, and then access the user's account. [...] Nightwatch researchers said that Google could have fixed this issue as early as October 2014, when this misconfiguration was first brought to its attention by someone on GitHub.

still not fixed?

[hraponssi]

So if I understand correctly this is still not fixed?

iphone version:
https://github.com/google/goog... [github.com]

android version:
https://github.com/google/goog... [github.com]

Both are in open status. Only years ago someone working on it seem to have posted this fix in their own comments but never fixed it.. Maybe it doesn't sell ads, but Google should be able to do a bit better..

Re: still not fixed?

[SleepingEye]

How do you suggest they fix this? The user has to install some random crap,then ignore all the screen recording warnings

Re:

[Anonymous Coward]

Security-conscious programs on Windows, like KeePass, avoid screen captures sniffing passwords by blitting direct to the screen buffer whenever they need to be shown instead of drawing them to the form's canvas through normal WM_PAINT events. Surely Android and iOS, from such great privacy-focused advocates, are advanced enough to have similar mechanisms?

Re: still not fixed?

[Sethra]

The Android OS allows apps to protect their users by blocking other apps from screenshotting their content. This is done by adding a "FLAG_SECURE" option inside the app's configuration.
Google did not add this flag to Authenticator's app, despite the fact that the app was handling some pretty sensitive content.

The question becomes WHY have they not done this. Despite being warned for years, despite it being a simple patch, it was deliberately not done.

Re:

[bill_mcgonigle]

> The question becomes WHY have they not done this. Despite being warned for years, despite it being a simple patch, it was deliberately not done.

Cui bono? Spooks (and other criminals).

Use a third-party authenticator app from a developer who has incentives to do it right, and didn't get started with InTelQ money. And doesn't have a CEO from the CFR.

Re:

[phantomfive]

I cut the authenticator team some slack here, because Android permissions are a complex mess. Do you feel like you understand them well enough to make your apps secure? I don't.

I DO blame the Android permissions team for this nonsense though, because they're just an ad-hoc mess, driven by feature requests, rather than fitting into any kind of rational design. A permissions system needs to be well thought out and well defined. That means a programmer using the system can understand what the various permiss

Re:

[Retired ICS]

Why have they not done this? Because it is pointless. If the device is already compromised then you can just as easily copy the key used to generate the OTP.

Once the device is in the attackers physical possession OR the attacker can run code on the device, there can be no defense.

Re:

[Junta]

Well, in this specific case, there is a mitigation designed for precisely this that an app can readily opt into, if they know of the setting.

Now if we were in a different platform or the capability to block screenshots completely did not exist, I'd agree this is silly. After all, it requires that the target sideload and also ignore very clear prompts for the 'attack' to work. But the mechanism is there so might as well use it.

Re:

[AmiMoJo]

I just tested it on my phone and can confirm that I was able to screenshot the Authenticator app.

I've been thinking about moving away from it for a while anyway. Keepass can be used with TOTP on desktop and Android, and I've been meaning to get a YubiKey or similar for a while anyway. The main issue with Google Authenticator (apart from this flaw) is that you can't export the secrets from it so you can't easily switch to a new phone or device, you have to go round each site generating new secrets.

Re:

[bill_mcgonigle]

Other apps will sync the private keys securely. It's bad opsec for me to post the one I use but look for that and have a backup device on once in a while. You can get oldish Android devices for free practically so there's no excuse for a nerd to not have a backup, really.

I was originally burned and went looking for one that syncs in response.

The other thing you can do is to screenshot the initial QR code you see and store it in your password manager.

Re:

[Anonymous Coward]

All you have to do is put the secret into your backup device at the get-go rather than trying to extract the keys from your phone later. If your backup device is a Linux computer you can use a command-line program where you can extract the secrets if you wish. Since the Linux computer is a backup you can use a very long passphrase to encrypt the secrets and you can make it a computer you don't normally use (e.g. a Raspberry Pi normally kept off the network).

No one Cares

[SirAstral]

No one Cares about Security.

We just fucking don't. From the consumers that constantly buy and use compromised devices to the businesses that constantly produce security functions on them... you can tell a consumer that a device is not secure and they will still buy it. You can tell a business that a device is not secure and they will still fucking use it! I have personally been in such scenarios... and more than a few times.

We just do not fucking care! Compound that with the fact that most people and m

Bullshit. Provably bullshit

[raymorris]

TOTP is based on HMAC, which is provably more secure than the underlying hash function. (I've had to actually do this mathematical proof lately for a post grad crypto course).

The underlying hash for Google's TOTP is the weakest TOTP version, based on SHA1. The best (fastest) attack on SHA1 is a length-extension extension attack, where the attacker chooses both messages. Of course for TOTP the attacker doesn't get to choose your secret key, but even if they did, finding an collision takes over 9,223,372,036,854,775,808 SHA1 computations. This takes the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations. And that's just to find " a (very) short list" of compatible secrets if we let the attacker choose the initial secret!

New TOTP implementations should use SHA-256, which is believed to be infeasible to attack even with chosen plaintext, and again attack TOTP is (provably) harder than a CPA.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[raymorris]

Why do you HAVE to have a complete lack of rate-limiting?

I did rate limiting in web security software I wrote in the 1990s; it worked on Linux, BSD, and Windows then and it still works today, with no changes to the rate limiting. So I'm thinking "running on different web servers" doesn't prevent touching a file in $TMP_DIR.

Nice name choice

[mrbester]

> The malware, discovered by researchers from ThreatFabric, was named Cerberus

Not to be confused with the myriad apps named Cerberus...

? Why...no attack, no flaw

[ElitistWhiner]

Why does a flaw NOT exist if it isn't detected?

Boy the intelligence agencies liked this

[sasparillascott]

Just enough of the intelligence services bidding to keep us suspicious.

Crazy they new about it for ~6 years and didn't do anything, alot of their users important stuff in the world is protected by this.

Patch Management

[kleverok mari]

I don't use Android apps to store data. You don't have to be an IT guru to understand that this mass could sooner or later lead to data theft and hacking. each company for business orders the development of software exclusively for its own needs and tries to create several degrees of protection. helps in finding patch management vulnerability https://www.action1.com/ [action1.com]. This helps you detect and installed Windows updates and fixes in real time

A better product

[golgotha007]

is Yubico Authenticator. It's TOTP, just like Google Auth and is fully compatible with sites that support Google Auth. The best part is, codes don't appear unless you plug your yubikey into your phone. You can even require some entries to require a yubikey touch before the code is displayed. And to save the best part for last, nothing sensitive is ever stored on your phone itself. You can even plug your yubikey in a different phone and all your codes appear.

At the end of the day, U2F is better than TOT

Re:

[TheRealMindChild]

Thanks Yubikey salesman! Problem is, almost no sites support U2F. The ones that did, like Paypal for instance, pulled support for it long ago and replaced it with SMS 2FA. That alone just goes to show, no one is interested in real security. They'd rather have your phone number

Re:

[golgotha007]

Considering all the simjacking going on, this was an incredibly stupid move by Paypal. The good news is that paypal is in the minority, most sites that support 2FA use TOTP or U2F and sites that don't yet support 2FA will use one of these methods when they do. I would say that about 25% of all the sites I log into use U2F and the number is only growing.

Re:

[account_deleted]

Comment removed based on user account deletion

Jail?

[theurge14]

How are these people not testifying before Congress, much less in jail?

Authy security model is just better

[Solandri]

Google Authenticator assumes that the only person who uses your phone is you, and thus gives up its 2FA codes with no further hassles. In other words, the phone's security acts as Authenticator's security. Meaning someone who has hacked your phone so they can remotely access it, can run Authenticator without any problems. More mundanely, anybody you hand your phone to while it's unlocked (say, so they can read an interesting slashdot post you found) can run Authenticator and get a 2FA code good for 30 sec

Re:

[93 Escort Wagon]

The iOS app "OTP Auth" has a option that requires TouchID/FaceID before granting access to the one-time codes. I believe that's on by default, but it's been a while since I installed the app so I could be mistaken.

The underlying protocol is open, so there's no reason anyone has to use Google Authenticator unless they choose to - regardless of the fact that some sites specifically mention Google's app (I assume because it's the best known).

Spyware

[NotEmmanuelGoldstein]

OneDrive 2FA doesn't require a phone number, so gDrive 2FA is mostly means to link a real name to an account.

Google Authenticator demands access to the internet and account names: Anyone who doesn't equate that to spyware, isn't trying to keep privacy.

Lastpass authenticator does not allow screenshots

[robinsc]

And can even be used for Google account authentication