end-to-end encryption

Google’s new two-factor authentication tool has been discovered not to offer end-to-end encryption, which could lead to security risks.

The Authenticator app works by providing unique codes for websites required as a second layer of protection on top of user passwords. Earlier this week, Google announced that users would now be able to sync Authenticator to a Google account and use it across multiple devices. This move from the tech giant eliminates the risk of being locked out of your account via a misplaced phone.

However, when security researchers and app developers for the software company Mysk dug deeper into the change, they noticed that the underlying data wasn’t end-to-end encrypted. The company would go on to explain on Twitter that Google is able to see ‘secrets’ likely even while they’re stored on their servers. The word ‘secrets’ in the world of security is used to describe credentials that work as a key to unlock an account or a tool.

This opens up the possibility for Google to get a glimpse at users’ apps and data for the purpose of targeted ads.

The full tweet from Mysk detailing its concern can be found below:

Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.

TL;DR: Don't turn it on.

The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.… pic.twitter.com/a8hhelupZR

— Mysk 🇨🇦🇩🇪 (@mysk_co) April 26, 2023

Users can use Authenticator without connecting it to their Google account or by syncing it across other devices as a means to bypass the issue. The downside of this is that it effectively renders the newest update useless.

Google might not be the only one who can see your data. The tests conducted found that unencrypted traffic contains a seed that generates the two-factor authentication codes, and according to researcher Tommy Mysk, anyone with that seed can generate codes that can be used to breach your account.

The discovery is concerning, considering the company has taken steps with similar tools to prevent data spying.

Google has yet to comment on the issue and has not announced plans to add password protection to Authenticator.

Image credit: Google

Source: @mysk_co Via: Gizmodo

Similar to Meta-owned WhatsApp, the company’s other main endeavour, Facebook Messenger, is poised to soon transition to end-to-end encryption by default. The company is currently testing out the privacy feature on Messenger, as announced in a recent press release.

If end-to-end encryption were to roll out for Messenger, only the sender of the message and the receiver would be able to view it, taking away the ability of even Facebook itself to view the content of chats.

The news is kind of ironic, as it comes only a day after Facebook handed over a mother and daughter’s abortion-related chat history to the police. Facebook experienced public outcry in response to the news, though it said that the contents of the chat were unknown to the company. “We received valid legal warrants from local law enforcement on June 7, before the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization. The warrants did not mention abortion at all,” wrote the company.

In addition to end-to-end encryption, Facebook is also testing out a “secure storage feature” to back up encrypted messages on the cloud, and allow it to be transferred between devices. “As with end-to-end encrypted chats, secure storage means that we won’t have access to your messages, unless you choose to report them to us,” wrote the company. “Secure storage will be the default way to protect the history of your end-to-end encrypted conversations on Messenger, and you’ll have multiple options for restoring your messages if you choose to do so.”

Users would be able to access their encrypted chat history either through a PIN or a generated code, and keeping it safe would be the user’s responsibility. Facebook said it is testing out secure storage this week on Android and iOS.

Other announcements include syncing deleted messages across devices, the removal of vanish mode on Messenger, expanded chat features on Instagram and more. Read the company’s news release here.

Source: Facebook