A security company is calling out a feature in Google’s authenticator app that it says made a recent internal network breach worse. ArsTechnica: Retool, which helps customers secure their software development platforms, made the criticism in a post Wednesday. disclosing a compromise of its customer support system. The breach gave attackers responsible access to the accounts of 27 clients, all from the cryptocurrency industry. The attack began when a Retool employee clicked on a link in a text message purporting to come from a member of the company’s IT team. It warned that the employee would not be able to participate in open enrollment for the company’s health care coverage until an account issue was resolved. The text came as Retool was in the process of moving its login platform to security company Okta.
Most of the targeted Retool employees took no action, but one logged into the linked site and, based on the wording of the poorly written disclosure, likely provided both a password and a one-time temporary password, or TOTP, for Google Authenticator. Shortly thereafter, the employee received a phone call from someone claiming to be a member of the IT team and knowledgeable about “the office layout, co-workers, and internal processes of our company.” During the call, the employee provided an “additional multi-factor code.” It was at this point, the disclosure claims, that a sync feature Google added to its authenticator in April amplified the severity of the breach, because it allowed the attackers to compromise not only the employee’s account, but also a multitude of other company accounts.
