Software development platform Retool has pointed the finger of blame at Google after suffering a data breach.
Here’s what happened: a hacking collective engaged in SMS phishing and social engineering managed to steal login credentials for an Okta account belonging to a Retool IT employee. It was quite an elaborate scheme, too, as it included creating a fake internal identity portal for Retool and impersonating an employee in order to have the victim share their multi-factor authentication (MFA) code.
But given that the company used Google’s MFA tool, Authenticator, Retool’s head of engineering, Snir Kodesh, says it’s all Google’s fault. The search engine behemoth recently introduced a new feature in Authenticator, which allows users to be logged into the tool on multiple endpoints. This enabled the attackers to trick their way into Authenticator, and ultimately – Okta.
Account takeover
“With these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems,” BleepingComputer cited Kodesh saying. “This allowed them to run an account takeover attack on a specific set of customers (all in the crypto industry). (They changed emails for users and reset passwords.) After taking over their accounts, the attacker poked around some of the Retool apps.”
“We strongly believe that Google should either eliminate their dark patterns in Google Authenticator (which encourages the saving of MFA codes in the cloud), or at least provide organizations with the ability to disable it.”
Google, on the other hand, was relatively mild in its response. It reminded Kodesh that the synchronization feature is optional, and suggested they move from passwords to more secure authentication methods, such as passkeys:
“Our first priority is the safety and security of all online users, whether consumer or enterprise, and this event is another example of why we remain dedicated to improving our authentication technologies. Beyond this, we also continue to encourage the move toward safer authentication technologies as a whole, such as passkeys, which are phishing resistant,” a Google spokesperson told BleepingComputer.
“Phishing and social engineering risks with legacy authentication technologies, like ones based on OTP, are why the industry is heavily investing in these FIDO-based technologies,” the Google spokesperson said.
“While we continue to work toward these changes, we want to ensure Google Authenticator users know they have a choice whether to sync their OTPs to their Google Account, or to keep them stored only locally. In the meantime, we’ll continue to work on balancing security with usability as we consider future improvements to Google Authenticator.”