iOS Update: Proton Authenticator Bug Leaked TOTP Secrets in Plaintext Logs

If you are using the iOS version of Proton Authenticator, it is imperative that you visit the Apple App Store immediately and update to the latest version. A critical security vulnerability in earlier releases causes TOTP secrets to be logged in plaintext, potentially exposing multi-factor authentication codes.

Proton Authenticator, a newly released free authentication tool from encrypted email provider Proton, offers end-to-end encrypted data synchronization and broad platform support—making it an increasingly popular choice among users.

However, a Reddit user recently discovered a severe flaw in the iOS version. While inspecting debug logs during setup, the user noticed that Proton Authenticator was logging TOTP secrets in plaintext. If such logs were to be shared, they could inadvertently reveal multi-factor authentication codes.

The root of this vulnerability lies in the iOS version’s handling of TOTP data. Specifically, a large amount of information related to TOTP entries was assigned to a params variable, which was then passed to two functions responsible for adding or updating TOTP entries within the app.

Upon receiving the vulnerability report, Proton confirmed the issue and has since released version 1.1.1 of Proton Authenticator to address the flaw. Users are strongly advised to update to this latest version to ensure their security.

The potential impact of the vulnerability is somewhat limited, as all data within Proton Authenticator remains end-to-end encrypted. Only after local decryption is the plaintext visible, meaning that data stored on servers remains securely encrypted and unaffected.

Unless a user deliberately shares their logs or uploads them to a cloud service, there is little risk of exposure. These debug logs are not transmitted to Proton’s servers. According to Proton, the only scenario in which this vulnerability might be exploited is if someone gains physical access to the device and successfully unlocks it.

Related Posts:

• Proton Launches Standalone Authenticator: Separating MFA from Passwords for Ultimate Security
• GitHub admitted to record some Plaintext Passwords in Its Internal Logs
• Proton Unveils Lumo AI Assistant: Fully Encrypted, No Data Logging, European-Hosted AI for Ultimate Privacy
• Microsoft Authenticator’s Password Manager is Phasing Out: What You Need to Do!
• Microsoft Authenticator’s Password Manager is Phasing Out: What You Need to Do!

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.