Software development platform Retool has pointed the finger at Google after suffering a data breach.
Here’s what happened: A hacker collective engaged in SMS-phishing and social engineering managed to steal login credentials for an Okta account belonging to a Retool IT employee. It was also a rather elaborate scheme, as it involved creating a fake internal identity portal for Retool and impersonating an employee to get the victim to share their multi-factor authentication (MFA) code.
But given that the company used Google’s MFA tool, Authenticator, Retool’s head of engineering, Snir Kodesh, says it’s all Google’s fault. The search engine giant recently introduced a new feature in Authenticator, which allows users to access the tool across multiple endpoints. This allowed attackers to deceive themselves into Authenticator and ultimately Okta.
“With these codes (and the Okta session), the attacker gained access to our VPN and, more importantly, our internal administration systems,” Sleeping computer he quoted the saying of Kodesh. “This allowed them to perform an account takeover attack on a specific group of customers (all in the cryptocurrency industry). (They changed emails for users and reset passwords.) After taking control of their accounts , the attacker snooped around some of the Retool apps.”
“We strongly believe that Google should eliminate dark patterns in Google Authenticator (which encourages saving MFA codes in the cloud), or at least provide organizations with the ability to disable it.”
Google, on the other hand, has been relatively mild in its response. He reminded Kodesh that the sync functionality is optional and suggested moving away from passwords to more secure authentication methods, such as passkeys:
“Our first priority is the safety and security of all online users, whether consumers or businesses, and this event is another example of why we remain dedicated to improving our authentication technologies. Beyond that, we continue also encourage the move towards more secure authentication technologies overall, such as passkeys, which are resistant to phishing,” a Google spokesperson told BleepingComputer.
“Phishing and social engineering risks with legacy authentication technologies, such as OTP-based ones, are why the industry is investing heavily in these FIDO-based technologies,” the Google spokesperson said.
“As we continue to work towards these changes, we want to ensure that Google Authenticator users know that they can choose whether to sync their OTPs with their Google Account or keep them stored only locally. In the meantime, we will continue to work on balancing security and usability as we We consider future improvements to Google Authenticator.”