A security company is calling out a feature in Google's Authenticator app that it says made a recent network breach much worse.
Retool, a company that helps customers secure their software development platforms, disclosed a breach of its customer support system on Wednesday. The breach affected 27 customers, all in the cryptocurrency industry.
Retool says the breach was made worse by a feature in Google's Authenticator app that allows users to sync their two-factor authentication (2FA) secrets across devices. The attackers were able to use this feature to reset the 2FA secrets for 27 customers, which allowed them to bypass 2FA and access the customers' accounts.
Retool is urging its customers to disable the sync feature in Google Authenticator and to use a different 2FA app, such as Authy or Microsoft Authenticator.
A Retool employee fell victim to a phishing attack on August 27, 2023. The attacker sent a text message to the employee claiming to be from IT and warning that the employee's account had an issue that would prevent them from participating in the company's open enrollment for health care coverage. The text message arrived at a time when Retool was in the process of moving its login platform to security company Okta.
Most of the targeted Retool employees ignored the text message, but one employee clicked on the link in the message and logged in to the linked website. The website was a phishing site designed to steal the employee's login credentials. The employee entered their password and a temporary one-time password (TOTP) from Google Authenticator into the phishing site.
The attacker then used the employee's login credentials to access Retool's customer support system. The attacker was able to reset the 2FA secrets for 27 customers, which allowed them to bypass 2FA and access the customers' accounts.
Retool has not disclosed any information about the breach of one of its third-party customer support engineers last year or the compromise of four of its customers' Okta superuser accounts this month.
Shortly after the Retool employee clicked on the phishing link and entered their credentials, they received a phone call from someone claiming to be an IT team member. The caller was familiar with the company's office layout, employees, and internal processes. The caller asked the employee to provide an additional multi-factor authentication (MFA) code.
The disclosure from Retool contends that Google Authenticator's sync feature, which was added in April 2023, magnified the severity of the breach. The sync feature allows users to sync their MFA secrets across devices, which can be convenient for users but also makes it easier for attackers to gain access to multiple accounts.
In this case, the attacker used the additional MFA code that the employee provided to add their own personal device to the employee's Okta account. This allowed the attacker to bypass 2FA and access the employee's GSuite session.
Retool head of engineering Snir Kodesh wrote that the attacker's ability to add their own device to the employee's Okta account was critical to the success of the attack. He also noted that Google's recent release of the Google Authenticator synchronization feature is highly insecure, as it means that if an attacker compromises a user's Google account, they will also have access to their MFA codes.
The post is unclear on a few points, such as whether Kodesh was referring to a one-time password (OTP) returned by Google Authenticator, the long string of numbers that forms the cryptographic seed used to generate OTPs, or something else entirely. Kodesh declined to comment on this, citing an ongoing investigation by law enforcement.
The Retool employee was tricked into sharing their one-time passwords (TOTPs) twice. The first time was to log in to their Okta account, and the second time was to enroll Google Authenticator on an attacker device into their Okta account. Somewhere along the way, the attacker also logged in to the employee's Google Workspace account.
Once the attacker had access to the employee's Google Workspace account, they were able to use the Google Authenticator sync feature to generate TOTPs for all of the employee's accounts, including possibly VPNs, support portals, and other things.
This means that the attacker could have accessed any of the employee's accounts, even those that were protected by 2FA.
Per Kodesh:
“Unfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this 'feature.' If you install Google Authenticator from the app store directly, and follow the suggested instructions, your MFA codes are by default saved to the cloud. If you want to disable it, there isn’t a clear way to 'disable syncing to the cloud,' instead there is just a 'unlink Google account' option. In our corporate Google account, there is also no way for an administrator to centrally disable Google Authenticator’s sync 'feature.' We will get more into this later.
We use OTPs extensively at Retool: it’s how we authenticate into Google and Okta, how we authenticate into our internal VPN, and how we authenticate into our own internal instances of Retool. The fact that access to a Google account immediately gave access to all MFA tokens held within that account is the major reason why the attacker was able to get into our internal systems.
Getting access to this employee’s Google account therefore gave the attacker access to all their MFA codes. With these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems. This allowed them to run an account takeover attack on a specific set of customers (all in the crypto industry). (They changed emails for users and reset passwords.) After taking over their accounts, the attacker poked around some of the Retool apps.”
Of course, it may be that Kodesh was trying to deflect responsibility away from his own organization, but he raised some decent points that should be considered.
Retool's biggest mistake was using any type of multi-factor authentication (MFA) that relies on the secrecy of time-based one-time passwords (TOTPs) alone. It has been clear for years that TOTPs can be phished with relatively little effort.
MFA methods that comply with the industry-wide FIDO2 standard are immune to credential phishing attacks like the one that hit Retool. This is because FIDO2 requires the use of a hardware-based security key, such as a smartphone or physical device that connects by USB or Bluetooth and is in close proximity to the device logging in.
Kodesh acknowledged that FIDO2 provides resilience to such attacks, but he did not say why Retool did not use it or when the company might start.
Kodesh is right that Google Authenticator syncing is much more lenient than syncing provided by other authenticator apps. For example, Authy Authenticator does not sync by default, and when a user turns syncing on, codes are end-to-end encrypted. When stored on Authy corporate parent Twilio's servers, the codes are in the form of an end-to-end encrypted blob. Without the password, the codes are unrecoverable.
In addition, enrolling a new device in Authy requires both (1) access to either an already-enrolled device or control of the phone number associated with the Authy account and (2) the password that encrypts the codes. Authy also allows users to flip a switch that prevents any new devices from being enrolled. These protections are a key selling point for the app.
A Google representative provided an email response about the topic that did not challenge Kodesh’s description of the Authenticator backup feature; instead, the representative tried to make the case that the feature provides an overall positive impact.
“We believe that, for most users, the benefits of cloud syncing outweighs the risks,” the representative said, continuing, “Consumers typically have no ‘administrator’ to go back to when they lose access to their OTPs, and they often have to fall back to more insecure methods when they inevitably switch devices. We do recognize that in certain enterprise environments it might be preferred to have the OTP codes stored purely locally, which is why Google Authenticator offers users the ability to use Google Authenticator without syncing codes to a Google Account.”
For Google Authenticator users who want syncing turned off, they should ensure the app in use shows an icon with a line crossing through the cloud symbol (see below).
Google Authenticator app showing crossed out cloud icon
The Google representative said that allowing administrators to disable syncing in Google Authenticator could result in enterprise users resorting to backing up their 2FA codes on personal accounts, which would be less secure. The representative also reiterated the point that FIDO2-based MFA is more secure than TOTP-based MFA.
According to the Google team member, “Phishing and social engineering risks with legacy authentication technologies, like ones based on OTP, are why the industry is heavily investing in these FIDO-based technologies. While we continue to work toward these changes, we want to ensure Google Authenticator users know they have a choice whether to sync their OTPs to their Google Account, or to keep them stored only locally. In the meantime, we’ll continue to work on balancing security with usability as we consider future improvements to Google Authenticator.”
FIDO2-Compliant MFA is the Gold Standard for Account Security
The most important lesson from this story is that FIDO2-compliant forms of MFA are the gold standard for account security. For those who choose to stick with TOTPs, Google Authenticator is a good compromise between usability and security. This balance may make the app useful for individuals who want some form of MFA but don't want to risk being locked out of their accounts if they lose their device. However, for enterprises like Retool, where security is paramount and administrators can manage accounts, Google Authenticator is woefully inadequate.
In other words, FIDO2-compliant MFA is the most secure option for MFA, but it may not be the most practical or affordable option for all users. Google Authenticator is a good compromise for individuals who want some form of MFA but don't want to risk being locked out of their accounts if they lose their device. However, for enterprises where security is paramount, Google Authenticator is not a good option.
Webcheck Security has a deep understanding of MFA technologies and best practices. Webcheck Security can help you to:
Choose the right MFA solution for your needs and budget.
Implement MFA in a way that is both secure and user-friendly.
Manage and monitor your MFA solution to ensure that it is working properly.
Contact Webcheck Security today.