A new feature synchronization with the Google Authenticator cloud is under fire from privacy advocates who claim that communication between the endpoint and the cloud is not encrypted and can be intercepted by attackers.
The sync feature was added by Google to help users create backups of two-factor authentication codes in the cloud.
Researchers at Mysk analyzed the network traffic of the updated Google Authenticator app and reported that it "turned out that the traffic is not end-to-end encrypted."
“Google just updated the 2FA Authenticator app and added a much-needed feature: the ability to sync between devices. TL;DR: Don't enable it”, Mysk explained in a tweet. "While syncing 2FA codes across devices is convenient, it comes at the expense of your privacy."
The researchers said that with the lack of encryption it is very likely that we will see data leaks and attacks to Google accounts. A successful attack will give the attacker access to code QR of two-factor authentication used to generate one-time codes.
"Each codeς QR 2FA περιέχει ένα seed, που χρησιμοποιείται για τη δημιουργία των κωδικών μίας χρήσης. Εάν κάποιος γνωρίζει το seed, μπορεί να δημιουργήσει τους ίδιους κωδικούς μίας χρήσης και να παρακάμψει τις προστασίες 2FA. Έτσι, εάν υπάρξει ποτέ κάποια παραβίαση δεδομένων ή εάν κάποιος αποκτήσει πρόσβαση στον account on Google, all 2FA seeds will be compromised”.
Paul Ducklin on the Naked Security blog of Sophos said that anyone who can Google your data will be able to access sensitive authentication data.
Mysk researchers recommend that users who are concerned about privacy disable the new sync feature in the Google Authenticator app.
A tweet from Christian Brand of Google, an identity and security product manager, said it recognizes privacy concerns and said Google plans to provide end-to-end encryption for the app.
