.png)
3 months ago
16
I was excited to try the new Proton Authenticator app on iOS. Imported my 2FA accounts, enabled backup and sync, everything looked good at first. At some point, after I changed the label on one of my entries and switched apps briefly, I came back to find that about half of my 2FA entries were gone. I think it might’ve happened after the label edit, but I’m not 100% sure. Could’ve been something else. Either way, they disappeared without any error or warning.
I wanted to do the right thing and submit a bug report. While preparing it, I opened the log file the app generates, and that’s when it went from mildly annoying to deeply concerning. Turns out, the log contains full TOTP secrets in plaintext. Yes, including the one for my Bitwarden account.
I'm attaching two screenshots:
-
A snippet from the Proton Authenticator log
-
An export from the 2FAS app for comparison
As you can see, the format matches exactly. These are the raw secrets used to generate 2FA codes. Logging them at all, let alone in plain text, is a huge security red flag.
I originally posted this on r/ProtonPass. That was over 24 hours ago. Still stuck "awaiting moderation", while other, newer posts have gone through. Not a great look.
Just wanted to raise awareness here.
