Top business software development platform Retool breached, blames Google Authenticator

Software development platform Retool has pointed the finger of blame at Google after struggling an information breach.

Here’s what occurred: a hacking collective engaged in SMS phishing and social engineering managed to steal login credentials for an Okta account belonging to a Retool IT worker. It was fairly an elaborate scheme, too, because it included making a pretend inside id portal for Retool and impersonating an worker as a way to have the sufferer share their multi-factor authentication (MFA) code. 

But on condition that the corporate used Google’s MFA software, Authenticator, Retool’s head of engineering, Snir Kodesh, says it’s all Google’s fault. The search engine behemoth not too long ago launched a brand new function in Authenticator, which permits customers to be logged into the software on a number of endpoints. This enabled the attackers to trick their manner into Authenticator, and in the end – Okta.

Account takeover

“With these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems,” BleepingComputer cited Kodesh saying. “This allowed them to run an account takeover attack on a specific set of customers (all in the crypto industry). (They changed emails for users and reset passwords.) After taking over their accounts, the attacker poked around some of the Retool apps.”

“We strongly believe that Google should either eliminate their dark patterns in Google Authenticator (which encourages the saving of MFA codes in the cloud), or at least provide organizations with the ability to disable it.”

Google, then again, was comparatively delicate in its response. It reminded Kodesh that the synchronization function is non-obligatory, and urged they transfer from passwords to safer authentication strategies, resembling passkeys:

“Our first priority is the safety and security of all online users, whether consumer or enterprise, and this event is another example of why we remain dedicated to improving our authentication technologies. Beyond this, we also continue to encourage the move toward safer authentication technologies as a whole, such as passkeys, which are phishing resistant,” a Google spokesperson instructed BleepingComputer.

“Phishing and social engineering risks with legacy authentication technologies, like ones based on OTP, are why the industry is heavily investing in these FIDO-based technologies,” the Google spokesperson stated.

“While we continue to work toward these changes, we want to ensure Google Authenticator users know they have a choice whether to sync their OTPs to their Google Account, or to keep them stored only locally. In the meantime, we’ll continue to work on balancing security with usability as we consider future improvements to Google Authenticator.”

More from TechRadar Pro

• Downloaded one thing suspicious? Here are the greatest malware elimination instruments to do away with something dodgy
• Keep your gadgets behind the greatest firewall for an additional layer of safety
• New Google Chrome browser safety plan slammed by specialists