Google Can Access Unencrypted Secrets
Cybersecurity researchers Mysk shared their analysis of Google's privacy update on Twitter, revealing that network traffic during the app's sync process is not end-to-end encrypted. This means that Google can access the secrets, even when stored on its servers.
Vulnerability to Malicious Actors
The update enables users to sync their two-factor authentication secrets across iOS and Android devices, but these secrets are potentially vulnerable. If a malicious actor gains access to a secret, they could easily generate a one-time OTP and bypass the two-factor authentication measures.
Private Information and Personalized Ads
2FA QR codes often contain additional information, such as account and service names. As Google can access these secrets, the company could use this private information to display personalized advertisements.
Exported Data Excludes 2FA Secrets
The cybersecurity experts also discovered that when users export their data from Google, the two-factor authentication secrets stored in their accounts are not included in the exported data. Mysk recommends that users exercise caution with the new privacy update.
Balancing Convenience and Privacy
Musk tweeted, "The bottom line: although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy. Fortunately, Google Authenticator still offers the option to use the app without signing in or syncing secrets."