Software program improvement platform Retool has pointed the finger of blame at Google after struggling an information breach.
Right here’s what occurred: a hacking collective engaged in SMS phishing and social engineering managed to steal login credentials for an Okta account belonging to a Retool IT worker. It was fairly an elaborate scheme, too, because it included making a pretend inner identification portal for Retool and impersonating an worker as a way to have the sufferer share their multi-factor authentication (MFA) code.
However on condition that the corporate used Google’s MFA device, Authenticator, Retool’s head of engineering, Snir Kodesh, says it’s all Google’s fault. The search engine behemoth lately launched a brand new characteristic in Authenticator, which permits customers to be logged into the device on a number of endpoints. This enabled the attackers to trick their approach into Authenticator, and in the end – Okta.
“With these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems,” BleepingComputer cited Kodesh saying. “This allowed them to run an account takeover attack on a specific set of customers (all in the crypto industry). (They changed emails for users and reset passwords.) After taking over their accounts, the attacker poked around some of the Retool apps.”
“We strongly believe that Google should either eliminate their dark patterns in Google Authenticator (which encourages the saving of MFA codes in the cloud), or at least provide organizations with the ability to disable it.”
Google, alternatively, was comparatively gentle in its response. It reminded Kodesh that the synchronization characteristic is optionally available, and steered they transfer from passwords to safer authentication strategies, equivalent to passkeys:
“Our first priority is the safety and security of all online users, whether consumer or enterprise, and this event is another example of why we remain dedicated to improving our authentication technologies. Beyond this, we also continue to encourage the move toward safer authentication technologies as a whole, such as passkeys, which are phishing resistant,” a Google spokesperson instructed BleepingComputer.
“Phishing and social engineering risks with legacy authentication technologies, like ones based on OTP, are why the industry is heavily investing in these FIDO-based technologies,” the Google spokesperson mentioned.
“While we continue to work toward these changes, we want to ensure Google Authenticator users know they have a choice whether to sync their OTPs to their Google Account, or to keep them stored only locally. In the meantime, we’ll continue to work on balancing security with usability as we consider future improvements to Google Authenticator.”