Proton has fixed a serious bug in its new Authenticator app for iOS that accidentally exposed users’ sensitive two-factor authentication (2FA) secrets in plaintext within the app’s logs.
The issue came to light shortly after Proton released its new Authenticator app, a free and standalone 2FA tool available for Windows, macOS, Linux, Android, and iOS. The app helps users store TOTP (Time-based One-Time Password) secrets used to generate one-time codes for signing into websites and apps.
Over the weekend, a concerned user shared a now-deleted post on Reddit describing how their TOTP secrets were being logged in plain text. They explained that after importing their 2FA accounts and enabling backup and sync, several entries disappeared unexpectedly—possibly after editing a label. When the user checked the debug logs found under Settings > Logs, they discovered that their TOTP secrets were fully visible, including for sensitive accounts like Bitwarden.
Other users confirmed the problem and pointed out the likely cause. The iOS app’s code was adding TOTP secrets to a variable used in logging, which unintentionally exposed them in local log files.
Proton has acknowledged the issue and confirmed that the problem was fixed in version 1.1.1, which was released to the App Store just hours after the discovery.
In a statement to BleepingComputer, Proton emphasized that secrets were never sent to their servers in plaintext, and that all synchronization is protected by end-to-end encryption. They also clarified that the logs remained local and were not transmitted online.
“Even without this logging issue, if someone has full access to your device, they can still obtain these secrets,” Proton explained. “That’s why it’s essential to keep your device secure. This situation falls outside the threat model that Proton or any 2FA app can defend against.”
Although the bug was not exploitable remotely, the bigger concern was that users might unknowingly share these logs with support teams or online forums while troubleshooting—potentially giving third parties access to their 2FA secrets. These secrets could then be imported into another authenticator app and used to generate codes to log into someone else’s accounts.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Proton has since updated the app to remove sensitive information from logs going forward. If you use the iOS version of Proton Authenticator, make sure to update to the latest version immediately.
