Retool August 2023: How TOTP Cloud Sync Broke MFA

Threat Intelligence

A spear-phishing call to a Retool employee chained with Google Authenticator's cloud sync feature to compromise 27 of the company's cryptocurrency customers. The single strongest case in 2023 for FIDO2 over TOTP.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 21, 2024 · 8 min read

Retool disclosed on September 13, 2023 that a spear-phishing campaign against its employees had succeeded, and the operators had used the access to pivot into 27 cloud customer accounts, all in the cryptocurrency vertical. The technical detail that shaped industry conversation was not the phishing itself, it was the MFA bypass: Google Authenticator's then-recent cloud sync feature had effectively converted TOTP from 'something you have' to 'something in your Google account.'

Timeline of the attack

1. August 27, 2023: Retool employees receive SMS messages spoofing the IT team about a healthcare benefits issue. The message includes a link to a fake login portal.
2. Most employees ignore the SMS. One clicks and authenticates against the fake portal, capturing their Okta credentials and a TOTP code.
3. Shortly after: The attacker calls the employee, impersonating an IT staff member (using a deepfake of the actual IT employee's voice, per Retool's blog). The employee provides an additional MFA code during the call.
4. Once on Okta as the employee, the attacker also gains access to the employee's Google account because Okta SSO was the SSO provider for Google Workspace at Retool.
5. Google Authenticator's cloud-sync feature had been enabled. The attacker pulls all TOTP seeds from the employee's Google account to their own device.
6. With cloned TOTP seeds, the attacker accesses Retool's internal admin systems and pivots to 27 cryptocurrency customer environments.

Root cause: Google Authenticator cloud sync removed the second factor

Retool's blog post named the specific feature: Google's April 2023 update to Google Authenticator that synced TOTP seeds to the user's Google account. Before that update, compromising a Google account did not give you TOTP codes from Authenticator on the user's phone; you needed the device. After the update, the TOTP seeds traveled with the Google account, which meant the second factor was now downstream of the first factor. Retool itself had FIDO2 on its roadmap but had not enforced it yet.

What the operators did with customer access

Retool's admin tooling included visibility into customer apps built on the platform, and in some cases the ability to act on behalf of customer admins. The operators used this access to pivot into crypto customer environments, where they appear to have attempted wallet draining and transaction signing. Public attribution (consistent across Retool's own reporting and downstream reporting from named victims like Fortress Trust) points to a financially motivated actor with overlap to the broader 0ktapus / Scattered Spider cluster.

Detection signals organizations could have hunted

• Okta MFA enrollment events for a new device on accounts with existing TOTP factors, especially within 24 hours of any suspicious sign-in.
• Google Workspace audit log events for 'Account Sync' or 'Authenticator restored' on privileged users.
• Voice-channel authentication requests outside normal IT process (Retool's own playbook now disallows out-of-band MFA assistance over phone).
• SMS-originated link clicks resolved via DNS for any look-alike of the corporate IdP domain.

Lessons that finally moved organizations to FIDO2

Retool was, for many of our clients, the inflection point that made FIDO2/WebAuthn enforcement non-negotiable on admin accounts. Three properties of FIDO2 closed the Retool attack chain. First, the private key never leaves the authenticator (no cloud sync to compromise). Second, the protocol binds the credential to the origin domain (phishing portals on look-alike domains do not work). Third, voice impersonation gets the attacker nothing because there is no shareable code to ask for over the phone. If you are still on TOTP for admin access in 2024, the Retool report is the standard document to put in front of the budget approver.

TOTP cloud sync is a usability win for end users and a downgrade of MFA for security architects. The Retool case shows what the downgrade costs when the wrong account is compromised.

There is a secondary lesson worth carrying into vendor reviews. When a critical service decides to change its security model (cloud sync, default-on biometrics, anything that alters where a secret lives), every downstream service inherits the change. Retool did not choose to weaken its MFA. Google made a usability decision and Retool's posture moved with it. Treating that as a category of risk, distinct from vendor breach risk, is one of the things 2023 made undeniable.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.