Proton fixes Authenticator bug leaking TOTP secrets in logs www.bleepingcomputer.com/news/secu…

Proton fixed a bug in its new Authenticator app for iOS that logged users' sensitive TOTP secrets in plaintext, potentially exposing multi-factor authentication codes if the logs were shared. Last week, Proton released a new Proton Authenticator app, which is a free standalone two-factor authentication (2FA) application for Windows, macOS, Linux, Android, and iOS.

The app is used to store multi-factor authentication TOTP secrets that can be used to generate one-time passcodes for authentication on websites and applications.Over the weekend, a user posted in a now-deleted Reddit post that the iOS version was exposing TOTP secrets in the app’s debug logs found under Settings > Logs.

“Imported my 2FA accounts, enabled backup and sync, everything looked good at first. At some point, after I changed the label on one of my entries and switched apps briefly,” reads an archive of the post.