Google's Authenticator: How to Get Your Two FA Codes Anywhere

Until this week, you couldn't do that. Google authenticator is correctly using HTTPS and it's great to sync these codes. But once you've stripped off that, the actual two FA codes are not encrypted. It's not end to ending encrypted. In other words, Google can see your two FA codes. Anyone who can access your Google account includes such as law enforcement,. Not that I'm singling out you for any reason. Andy says he uses an authentication app which actually syncs. So if I lose one device, it's not a problem, I can still log into things. He adds: "It took them 13 years to implement this fairly fundamental functionality"

Play episode from 30:32

chevron_right

Transcript

chevron_right

Transcript

Episode notes

This Week In InfoSec (09:00)

With content liberated from the “today in infosec” twitter account and further afield

23rd April 2008: Microsoft announced that some of its antivirus tools had mislabeled Skype as adware for several days due to a bad definition update. 3 years later Microsoft bought Skype for $8.5 billion.

Microsoft mislabels Skype as adware

https://twitter.com/todayininfosec/status/1253558642537713664

26th April 1999: Chernobyl Virus Melts Down PCs

The first known virus to target the flash BIOS of a PC, the CIH/Chernobyl Virus triggers its payload on this day, erasing hard drives and disabling PCs primarily in Asia and Europe. One of the most destructive viruses in history, it is estimated that 60 billion PCs were infected worldwide causing $1 Billion in damages.

The virus had been created exactly one year earlier on April 26, 1998 by Taiwanese student Chen Ing-hau and set to trigger its destructive payload exactly one year later. It began to spread in the wild and was first discovered in June of 1998, given the name CIH due to the author’s initials discovered in the virus code. From this time forward it was reported that a variety of companies accidentally distributed the virus through various downloads, updates, and CDs.

When the virus triggered on this date it just happened to coincide with the date of the Chernobyl disaster in 1986 and therefore the press began to call it the Chernobyl virus, even though there has never been any evidence to show that this date was chosen intentionally for this reason.

My memories of Chernobyl/CIH here: https://nakedsecurity.sophos.com/2011/04/26/memories-of-the-chernobyl-virus/

Rant of the Week (17:35)

International cops urge Meta not to implement secure encryption for all

Why? Well, think of the children, of course

An international group of law enforcement agencies are urging Meta not to standardize end-to-end encryption on Facebook Messenger and Instagram, which they say will harm their ability to fight child sexual abuse material (CSAM) online.

The Virtual Global Taskforce was formed in 2003 and is currently chaired by Britain's National Crime Agency. The VGT consists of 15 law enforcement bodies, including Interpol, the FBI, the Australian Federal Police and other law enforcement agencies from around the world. In its letter [PDF], the VGT said reports from tech industry partners play a key role in fighting CSAM content, with Meta being its leading reporter of abuse material.

But the taskforce thinks that will end if Meta continues its encryption push. "The VGT has not yet seen any indication from META that any new safety systems implemented post-E2EE will effectively match or improve their current detection methods," the taskforce said.

Billy Big Balls of the Week (28:07)

After 13 years, Google has finally added syncing to Google Authenticator in iOS and Android.

By adding sync, you no longer need to worry about losing access to your online accounts. If you lose your phone, just restore them on a new device.

All good, right? Err…

https://twitter.com/mysk_co/status/1651021165727477763

Yes, Google syncs your 2FA codes via HTTPS. But Mysk found out they weren’t end-to-end encrypted. In short, Google can see your 2FA codes. Furthermore, anyone who can access your Google account (such as law enforcement) can access your 2FA codes.

Oh dear…

https://twitter.com/christiaanbrand/status/1651279598309744640

In response, Google said it had:

“We’re always focused on the safety and security of Google users, and the newest updates to Google Authenticator was no exception.”

“Plans to offer E2EE for Google Authenticator down the line.”

“Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use. However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves.”

What impressive balls of Google to introduce this new feature to a security/privacy product - after 13 years! - and brazenly do it in an insecure way.!

Industry News (37:43)

American Bar Association Breach Hits 1.5 Million Members

Thousands of Social Media Takedowns Hit People Smugglers

Yellow Pages Canada Hit by Cyber-Attack, Black Basta Claims Credit

UK Cyber Pros Burnt Out and Overwhelmed

Quad Countries Prepare For Info Sharing on Critical Infrastructure

Critical Flaw Patched in VMware Workstation and Fusion

Man Arrested for Selling Data on 300 Million Victims to Russians

Microsoft Blames Clop Affiliate for PaperCut Attacks

APT Groups Expand Reach to New Industries and Geographies

Tweet of the Week (45:06)

https://twitter.com/vxunderground/status/1651384225692786689