Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.

TL;DR: Don't turn it on.

The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.

We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.

Why is this bad?

Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵

#Privacy #Cybersecurity #InfoSec #2FA #Google #Security

The #ENISA SME tool is available to assess the #cybersecurity maturity of your organisation and seek advice on the areas for improvement.

Check it out and share it with your network https://europa.eu/!xpx4jG #SMEs

🐦🔗: https://n.respublicae.eu/enisa_eu/status/1646874852001738755

Happy Sunday! A new ~this week in security~ is out:

• Citizen Lab outs QuaDream's spyware exploits
• U.S. airman charged with classified leak
• Western Digital hackers claim vast access
• How swatters are using synthesized voices
• North Korea hacked 3CX phones
• CISA's new security guidance
• A two-for-one cybercat special, and more.

Sign up: https://this.weekinsecurity.com

Read online: https://mailchi.mp/zackwhittaker/this-week-in-security-april-16-edition

Sigh. Let's see if y'all can play along at home:

The FCC and the FBI's Denver field office are both warning people to beware of Juice Jacking attacks at airports and other public places. Both cite "cybersecurity experts."

https://www.fcc.gov/juice-jacking-dangers-public-usb-charging-stations

An FBI spox told me the Denver field office warning was reporting information from the FCC. An FCC spox said its information came from a 2019 NYT article, but that the agency has received consumer complaints of juice jacking.The NYT article cited a warning from the LA DA's office. The DA's post was taken down in December 2021, a couple weeks after @zackwhittaker reported DA officials had no cases and could point to no cases of it happening.

Even though the the LA DA's warning was depublished ~18 months ago and the FCC spox can't name a single cybersecurity expert issuing such warnings, there are no plans to correct the post and no mechanism for the public to challenge the warning.