TOTP in the Clear: Proton Authenticator’s Privacy Misstep on iOS
Proton, a company renowned for its commitment to privacy and security, made an unfortunate misstep in its latest offering—Proton Authenticator, a two-factor authentication app. In the iOS version, users’ TOTP secrets—used to generate one-time codes—were logged in plaintext. This meant that any exported logs could potentially expose access to all linked 2FA accounts—including, as it turned out, Bitwarden.
The issue came to light after a user, having experienced data loss while testing the app, decided to file a bug report. While preparing his submission, he opened the log file and was startled to discover that his TOTP secrets were being recorded in clear text. Although the file was stored locally, it could have been inadvertently sent to support staff or uploaded to public platforms, as often happens when users seek help with technical issues.
The root cause of the vulnerability lay in the logging mechanism of the iOS version [1, 2]. When updating or adding a new TOTP entry, the params
variable—which contained all attributes, including the secret—was passed to functions that automatically recorded its contents in the log. As a result, even though Proton’s servers never accessed these secrets and all data remained encrypted at rest, users themselves risked compromising their accounts through careless log sharing.
The TOTP secret was passed into the “params” variable, which was subsequently logged
Proton acknowledged the flaw and released version 1.1.1 to address the issue. In a public statement, the company emphasized that secrets were never transmitted to the server in plaintext and that all synchronization was secured with end-to-end encryption. However, it noted that if a device had already been compromised, no level of application-side protection could prevent data leakage—a malicious actor would have direct access to TOTP secrets regardless of logs.
While the vulnerability did not permit remote access, the risk lay in the inadvertent exposure of logs. Applications that include features like export or automatic log submission must be especially vigilant about what information might be captured and transmitted.
Proton Authenticator was launched as a cross-platform solution for managing two-factor authentication, compatible with Windows, macOS, Linux, Android, and iOS. Yet it was the iOS version that revealed a critical lapse in handling sensitive data. Despite the swift patch, the incident raises broader questions about the reliability of even those products that are marketed as secure by design.