Proton fixed a critical bug in its iOS Authenticator app that inadvertently logged TOTP secrets in plaintext, risking exposure if logs were shared. The fix addresses a privacy concern, emphasizing that local log sharing could reveal sensitive multi-factor authentication data. #ProtonAuthenticator #TOTPSecrets #iOSSecurity
Keypoints
- The Proton Authenticator app for iOS exposed TOTP secrets in debug logs.
- The bug was caused by code that logs detailed TOTP data when updating entries.
- Proton released version 1.1.1 to fix the logging behavior and protect user secrets.
- Secrets are never transmitted unencrypted to Proton servers, maintaining end-to-end encryption.
- Local log sharing can still expose secrets if a device is compromised, highlighting the importance of device security.