What you need to know
- A bug in the Google Authenticator app reportedly allows screenshots of OTPs to be easily captured.
- Security researchers had recently suggested that the "Cerberus" Android malware can steal one-time codes generated by Google Authenticator.
- Google has been notified of the vulnerability, although it is yet to be fixed.
Security researchers at Dutch mobile security firm ThreatFabric had claimed in a report last month that the latest version of Android banking trojan Cerberus is capable of stealing one-time passcodes (OTP) generated by the Google Authenticator and other similar apps. The folks at Nightwatch Cybersecurity have now uncovered another vulnerability that could be used by malicious apps to steal one-time passcodes from Google Authenticator.
The report published by Nightwatch Cybersecurity reveals that rogue apps on Android devices might be able to steal all generated OTP codes from the Google Authenticator app, as it allows screenshots of one-time passcodes to be captured. It notes that several rogue apps make use of Android accessibility to pull screenshots from running apps. This could be prevented by using "FLAG_SECURE," but the Google Authenticator sadly does not use the FLAG_SECURE setting.
Android apps and certain platform services can capture screens from other running apps with the help of the MediaProjection API. With the FLAG_SECURE flag, the content of an app window is treated as secure, preventing it from appearing in screenshots.
While a bug report detailing the vulnerability has been submitted to Google, it hasn't been fixed yet. The bug is still present in the latest version of the Authenticator app.
We may earn a commission for purchases using our links. Learn more.
It's time to stop using SMS for two-factor authentication
Not all 2FA is equal. Using SMS to get a code might not be "better than nothing" after all.
Fresh Surface Duo renders are here, reportedly coming to AT&T
Microsoft hasn't exactly been camera shy with the Surface Duo, but a new set of renders have leaked that offer an even closer look at the device. Alongside the leaked images, the leaker says Duo will be headed to AT&T in the U.S.
24 hours with the Galaxy Note 20 Ultra: Big, beautiful, and backwards
It's still too early to give any conclusive thoughts on the Galaxy Note 20 Ultra, but Samsung's latest flagship is already proving to be a tremendous phone in more ways than one.
Time to dump Chrome: 8 alternative desktop web browsers
If you getting frustrated with the lack of privacy, slower speeds or difficulty using extensions in Chrome, it's time to switch to one of these web browsers.