According to the grapheneOS discussion, users who have opted in to the security preview releases have already received the december security patch that google has released in advance (smth like a beta preview i imagine?)
According to the reddit thread, u can mitigate this in Aegis Authenticator by enabling “tap to reveal” on the codes and ideally not writing any sensitive info on the names, for example u can write “gh” for github. However, this vulnerability can be used not just for 2FA apps but for any app on ur phone. So the attacker can read ur browser, ur emails etc.
So imo, the best defence (besides using grapheneOS) is using a firewall such as Afwall+ or Netguard and blocking internet connection to any app you’re not 100% sure is safe. This way the app cannot exfiltrate the info from ur device. Just like on windows, an infostealer is harmless if it cannot report the stolen information to its author.
Just confirming that “tap to reveal” is not an option for Proton Authenticator, unless I missed it. There’s a “hide all codes” option that just places the code in the clipboard when you tap it. Not ideal if you’re logging in to anything not on your phone.
That quirk then causes the issue of whether this hypothetical malware can access your clipboard to obtain Proton Authenticator’s codes.
There are simply too many real-world and hypothetical attacks involving 2FA keys. No wonder there is slow industry transition away from them in favor of passkeys
Yeah, but now that I think about it, what service would let one user at two different IP addresses log in with the same 2FA code seconds apart? OTP codes are single use.
They would have to ALSO both be in the same session, so if the attacker already has a session stealer going, why bother with a highly sophisticated 2FA snooping attack? Session stealers defeat 2FA and Passkeys anyway, so the attacker doesn’t need to bother with any of this.
