CybserSecurity News

Tag: Proton Authenticator

  • TOTP in the Clear: Proton Authenticator’s Privacy Misstep on iOS

    Proton, a company renowned for its commitment to privacy and security, made an unfortunate misstep in its latest offering—Proton Authenticator, a two-factor authentication app. In the iOS version, users’ TOTP secrets—used to generate one-time codes—were logged in plaintext. This meant that any exported logs could potentially expose access to all linked 2FA accounts—including, as it turned out, Bitwarden.

    The issue came to light after a user, having experienced data loss while testing the app, decided to file a bug report. While preparing his submission, he opened the log file and was startled to discover that his TOTP secrets were being recorded in clear text. Although the file was stored locally, it could have been inadvertently sent to support staff or uploaded to public platforms, as often happens when users seek help with technical issues.

    The root cause of the vulnerability lay in the logging mechanism of the iOS version [1, 2]. When updating or adding a new TOTP entry, the params variable—which contained all attributes, including the secret—was passed to functions that automatically recorded its contents in the log. As a result, even though Proton’s servers never accessed these secrets and all data remained encrypted at rest, users themselves risked compromising their accounts through careless log sharing.

    The TOTP secret was passed into the “params” variable, which was subsequently logged

    Proton acknowledged the flaw and released version 1.1.1 to address the issue. In a public statement, the company emphasized that secrets were never transmitted to the server in plaintext and that all synchronization was secured with end-to-end encryption. However, it noted that if a device had already been compromised, no level of application-side protection could prevent data leakage—a malicious actor would have direct access to TOTP secrets regardless of logs.

    While the vulnerability did not permit remote access, the risk lay in the inadvertent exposure of logs. Applications that include features like export or automatic log submission must be especially vigilant about what information might be captured and transmitted.

    Proton Authenticator was launched as a cross-platform solution for managing two-factor authentication, compatible with Windows, macOS, Linux, Android, and iOS. Yet it was the iOS version that revealed a critical lapse in handling sensitive data. Despite the swift patch, the incident raises broader questions about the reliability of even those products that are marketed as secure by design.

  • Proton Launches Standalone Authenticator: Separating MFA from Passwords for Ultimate Security

    Proton has unveiled Proton Authenticator—a standalone application for two-factor authentication (2FA), available across Windows, macOS, Linux, Android, and iOS. It employs TOTP codes that refresh every 30 seconds, providing an additional layer of protection when signing into online services.

    Previously, Proton introduced a suite of privacy-centric tools: Proton Mail, Proton VPN, Proton Drive, and Proton Pass. This new offering further enriches that ecosystem.

    According to the company, Authenticator requires no registration, contains no advertisements, and employs no trackers. It operates entirely locally and is designed to function with any service that supports the TOTP standard.

    The app reportedly supports end-to-end encrypted device synchronization, as well as export and import of TOTP keys—features typically absent from other mainstream 2FA solutions. Additional capabilities include automatic backups and app locking via PIN or biometric authentication.

    Proton states in its blog that the source code will be released on GitHub in the near future, though the process may take several weeks to complete.

    Developers emphasize that this new tool is intended as a transparent and user-empowering alternative to offerings from major tech corporations, which they argue impose limitations and obscure their inner workings.

    TOTP-based apps are widely regarded as more secure than SMS or email authentication: they function offline, are less susceptible to interception, and their ephemeral codes significantly reduce the risk of data compromise.