The latest discoveries reveal that there is a major issue with the Google Authenticator app that could cause serious security problems.
Nightwatch Cybersecurity discovered that any rogue app can screen capture the Google Authenticator’s OTP codes as they are shown on the device screen.
If you have the app on your phone you can open it right now, press the Power and the Bottom Volume button at the same time and see that a screenshot is taken.
Google launched the Google Authenticator app in 2010 as a more secure authentication method; It generates six to eight-digit one-time passcodes (OTP) used for 2-factor authentication of many apps.
Nightwatch Cybersecurity filed a bug report and Google filed an internal bug, however, the flaw is still not fixed in the latest version.
Google can solve this flaw by using FLAG_SECURE which blocks any apps and users from taking a screenshot.
Google could have fixed this bug when it was first reported on GitHub back in 2014 but the app still contains the security bug.
Malware can exploit the flaw
It was previously reported that malware could exploit this vulnerability; cybersecurity company, ThreatFabric, first discovered a feature in the android malware, Cerberus, that was capable of stealing Google Authenticator 2FA codes. Cerberus RAT can simply steal codes by taking a screenshot of the users’ screen
It is not just Google Authenticator
Back in 2018, Nightwatch Cybersecurity discovered that Microsoft Authenticator for android also had this flaw. They have reported it to Microsoft and they responded by saying:
“Our team assessed the issue, and this does not meet the bar for servicing. We have informed the product team about this issue. MSRC is closing the case.”
“As for CVE, since there is no fix going for this, we will not be assigning any CVE for this issue.”
The issue is still unfixed by the time this article was written.