Your Google 2FA code can be stolen with a screenshot

Google's Authenticator app for generating one-time passcodes has a notable security flaw: It allows screenshots to be captured. Research firm Nightwatch Cybersecurity released a report highlighting how it's possible for rogue apps on Android to take advantage of this flaw to grab your passcodes every time you open Authenticator.

How the flaw works — The gist of it is that Android allows apps to capture screenshots from other running apps using an operating system API called MediaProjection. If a developer wanted to, they could use the API to capture pictures from Authenticator every time you open it, thereby grabbing your one-time passwords.

Developers can prevent screenshots from being taken in their apps by enabling the "FLAG_SECURE" setting, which as it sounds, treats the content of an app as secure. Google simply hasn't enabled FLAG_SECURE in the Authenticator app. If it were to this problem would be eliminated. According to Nightwatch, a bug report has been filed regarding the issue. It's not clear that any bad actors have ever actually exploited this vulnerability — Nightwatch is simply drawing attention to it.

How Authenticator works — Authenticator is an important app because it offers two-factor authentication for signing into web accounts that is more secure than SMS-based authentication. As we've seen before, it's not foolproof, because with a SIM swap it's possible to transfer your phone number to another SIM card and gain access to your text messages.

Authenticator works instead by sharing an encrypted key between the Authenticator app on your phone and the website you want to log into. Every time you want to sign in to an account, you have to open the Authenticator app and a new password is generated that changes every 30 seconds or so. Think of it as turning your phone into a security key akin to a Yubico or Google's own Titan.

Another app similar to Authenticator called Authy already uses the FLAG_SECURE setting to block screenshots. We'd recommend using that instead, but we suspect now that Google knows about the oversight it won't be long until it fixes it.