CVE-2024-45394

Name of the Vulnerable Software and Affected Versions: Authenticator versions prior to 8.0.0

Description: The Authenticator browser extension generates two-step verification codes. In versions prior to 8.0.0, encryption keys for user data were stored encrypted at-rest using only AES-256 and the EVP BytesToKey KDF. This allows attackers with a copy of a user's data to brute-force the user's encryption key. Users on version 8.0.0 and above are automatically migrated away from the weak encoding on first login.

Recommendations: For versions prior to 8.0.0, update to version 8.0.0 or later to ensure your data's safety from brute-force attacks. Additionally, destroy encrypted backups made with versions prior to 8.0.0.